| Advisory NTIADV0802 (Accelerated Disclosure) | |
| Anti-Trojan Elite and Anti-Keylogger Elite Privilege Escalation Vulnerabilities | |
| Vendor | ISecSoft, Inc. |
| Affected Software | Anti-Trojan Elite < = 4.2.1 Anti-Keylogger Elite < = 3.3.0 |
| Affected Driver | ATEPMON.sys Anti-Keylogger Elite Driver - AKEProtect.sys < = 3.3.3.0 |
| Date Reported | 2008-09-17 |
| Release Date | 2008-11-07 |
| Status | Not fixed |
| Exploit | Atepmon_DoS.zip - Local Denial of Service Exploit AKEProtect_Exp.zip - Local Privilege Escalation Exploit |
| Disclosure Timeline | 2008-09-17 - Vulnerability reported to vendor 2008-10-16 - Vendor notified a second time 2008-11-07 - Full technical details released to general public |
| Description | |
| Both drivers (ATEPMON.sys and AKEProtect.sys) contain vulnerabilities in the handling of IOCTLs. The ATEPMON.sys does not validate enough output buffer address and length passed in IOCTL 0x00222494. The AKEProtect.sys does not validate enough output buffer addresses and lengths passed in IOCTLs 0x002224A4, 0x002224C0, 0x002224CC. This allows malicious users to inject arbitrary code into the kernel. | |
| Details | |
|
In order to exploit this vulnerability, an Administrator must launch the Anti Trojan Elite or Anti-Keylogger Elite application. Once loaded, the vulnerable kernel module will be accessible by all users (not always). Both drivers invoke IoCreateDevice function with Exclusive parameter passed as true. This block access to the device from other applications if original one is running. Only an Administrator can duplicate and close handle of the device. But Anti-Keylogger Elite after installation loads its driver and terminate itself showing information that "The evaluation period of the program has expired, and the program is inactivated." Of course after program termination the device will be accessible by all users. Both drivers are loaded after system reboot automatically. A piece of ATEPMON.sys code...
...
.text:00010A3F lea eax, [ebp+DriverObject]
.text:00010A42 push eax ; DeviceObject
.text:00010A43 push 1 ; Exclusive
.text:00010A45 push 0 ; DeviceCharacteristics
.text:00010A47 lea eax, [ebp+DeviceName]
.text:00010A4A push 8210h ; DeviceType
.text:00010A4F push eax ; DeviceName
.text:00010A50 push 0 ; DeviceExtensionSize
.text:00010A52 push esi ; DriverObject
.text:00010A53 call ds:IoCreateDevice
...
.text:00010BFA @@ioctl_222494:
.text:00010BFA lea eax, [ebp+SourceBuffer]
.text:00010C00 push 418h
.text:00010C05 push eax
.text:00010C06 call CopyMemory
.text:00010C0B test eax, eax
.text:00010C0D jnz short @@success
.text:00010C0F and byte ptr [ebp+ProcessName], al
.text:00010C15
.text:00010C15 @@success:
.text:00010C15 lea eax, [ebp+ProcessName]
.text:00010C1B push eax
.text:00010C1C push offset MsgGetProcessFileName ; "Msg GETPROCESSFILENAME :%s"
.text:00010C21 call DbgPrint
.text:00010C26 mov edi, [ebx+3Ch] ; UserBuffer
.text:00010C29 pop ecx
.text:00010C2A pop ecx
.text:00010C2B lea esi, [ebp+SourceBuffer]
.text:00010C31 mov ecx, 106h
.text:00010C36 rep movsd
...
A piece of AKEProtect.sys code...
...
.text:00010E28 @@ioctl_2224A4:
.text:00010E28 mov eax, SomeNumber
.text:00010E2D test eax, eax
.text:00010E2F jnz short @@set_output
.text:00010E31 call PsGetCurrentThreadId
.text:00010E36 push eax
.text:00010E37 push [ebp+Unknown]
.text:00010E3D push [ebp+LocalInputBuffer]
.text:00010E43 push dword ptr [ebx+50h] ; Thread
.text:00010E46 call GetThread
.text:00010E4B push eax
.text:00010E4C call SomeFunction
.text:00010E51 mov SomeNumber, eax
.text:00010E56
.text:00010E56 @@set_output:
.text:00010E56 mov ecx, [ebx+3Ch] ; UserBuffer
.text:00010E59 mov [ecx], eax ; UserBuffer <- 0xFFFFFFFF
.text:00010E5B jmp short @@set_status
...
|
|