CA Internet Security Suite 2010 - 'KmxSbx.sys' Kernel Pool Overflow

EDB-ID:

15624




Platform:

Windows

Date:

2010-11-28


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

/*
# Exploit Title: CA Internet Security Suite 2010 KmxSbx.sys Kernel Pool 
Overflow 0-day Exploit
# Date: 2010-11-28
# Author: Nikita Tarakanov (CISS Research Team)
# Software Link: 
http://shop.ca.com/ca/products/internetsecurity/internetsecurity_suite.asp
# Version: up to date, KmxSbx.sys version 6.2.0.22
# Tested on: Win XP SP3
# CVE : CVE-NO-MATCH
# Status : Unpatched
*/

1.Description:

The KmxSbx.sys kernel driver distributed with CA Security Suite contains 
a pool corruption vulnerability in the handling of IOCTL 0x88000080.
Exploitation of this issue allows an attacker to execute arbitrary code 
within the kernel.
An attacker would need local access to a vulnerable computer to exploit 
this vulnerability.



Affected application: CA Internet Security Suite 2010.
Affected file: KmxSbx.sys version 6.2.0.22.

2.Vulnerability details:


[..]

.text:00016330                 mov     cx, [eax]       ; eax points to 
attacker controlled data
.text:00016333                 inc     eax
.text:00016334                 inc     eax
.text:00016335                 test    cx, cx
.text:00016338                 jnz     short loc_16330
.text:0001633A                 sub     eax, edx
.text:0001633C                 sar     eax, 1
.text:0001633E                 lea     eax, [eax+eax+50h] ; size of 
UNICODE string + 0x50 bytes
.text:00016342                 movzx   edi, ax         ; integer wrap here!
.text:00016345
.text:00016345 loc_16345:                              ; CODE XREF: 
sub_162D8+53j
.text:00016345                 movzx   eax, di
.text:00016348                 push    ebx
.text:00016349                 xor     ebx, ebx
.text:0001634B                 cmp     eax, ebx
.text:0001634D                 jz      short loc_16359
.text:0001634F                 push    eax             ; NumberOfBytes
.text:00016350                 push    ebx             ; PoolType
.text:00016351                 call    ds:ExAllocatePool ; Miscalculated 
Pool!!!
.text:00016357                 mov     ebx, eax

[..]

.text:000163A6                 movzx   esi, word ptr [edx]
.text:000163A9                 mov     [eax+edx], si   ; Pool overflow here!
.text:000163AD                 inc     edx
.text:000163AE                 inc     edx
.text:000163AF                 test    si, si




3.Exploitation:


1.To exploit this vulnerability we have to allocate shellcode at some 
address, craft fake chunk header, that creates write4 primitive.
2.To invoke our shellcode we have to set such values in Flink,Blink, 
that points to some pointer in kernel space, and address of our r0 
shellcode.When unlinking happens, we overwrite pointer in kernel space, 
and force execution with kernel priviligies(cpl==0).
*3.Pool repair

Exploit code is in CAInternetSecuritySuite2010.zip file.

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/15624.zip (CAInternetSecuritySuite2010.zip)