NT Internals - Advisory NTIADV0803 EVEREST (kerneld.sys) Multiple Vulnerabilities

Advisory NTIADV0803 (Accelerated Disclosure)
EVEREST (kerneld.sys) Multiple Vulnerabilities
Vendor	Lavalys Consulting Group, Inc.
Affected Software	EVEREST Corporate Edition EVEREST Ultimate Edition
Affected Driver	kerneld.sys
Date Reported	2008-09-18
Release Date	2009-10-21
Status	Partially fixed
Exploit	kerneld_Exp.zip - Local Privilege Escalation Exploit
Disclosure Timeline	2008-09-18 - Vulnerability reported to vendor 2008-10-11 - Vendor notified a second time 2008-10-16 - Vendor response 2008-10-20 - Vendor response (First incomplete update released) 2008-11-16 - Status update request 2008-11-17 - Vendor response 2008-11-17 - Detailed vulnerability information sent to the vendor 2008-11-22 - Vendor response (Second incomplete update released) 2009-05-23 - Status update request 2009-05-24 - Vendor response 2009-05-25 - Detailed vulnerability information sent to the vendor 2009-10-21 - Full technical details released to general public
Description:
EVEREST is prone to a local privilege escalation vulnerabilities that occurs in the kerneld.sys driver.
Details
Signed modules distributed with EVEREST include functionality that can be abused to copy user supplied data into Model-Specific Registers. This allows malicious users to crash the system or inject arbitrary code into the kernel. In order to use this vulnerability, an Administrator must lunch the EVEREST application or load the kerneld.sys driver manually.
Fixed (restricted access to some MSR registers)
... .text:000113F0 @@ioctl_rdmsr: .text:000113F0 cmp ecx, edi ; InputBufferLength .text:000113F2 jz @@invalid_parameter .text:000113F8 mov ecx, [esi] ; InputBuffer[0] - Msr Number .text:000113FA rdmsr .text:000113FC mov [esi+4], eax ; OutputBuffer[1] - LowOrderMsr .text:000113FF mov [esi+8], edx ; OutputBuffer[2] - HighOrderMsr .text:00011402 jmp short @@set_iostatus .text:00011404 .text:00011404 @@ioctl_wrmsr: .text:00011404 cmp ecx, edi ; InputBufferLength .text:00011406 jz @@invalid_parameter .text:0001140C mov ecx, [esi+4] ; SystemBuffer[1] - LowOrderMsr .text:0001140F mov edx, [esi+8] ; SystemBuffer[2] - HighOrderMsr .text:00011412 xor eax, eax .text:00011414 or eax, ecx .text:00011416 mov ecx, [esi] ; SystemBuffer[0] - Msr Number .text:00011418 xor edi, edi .text:0001141A or edx, edi .text:0001141C wrmsr .text:0001141E mov eax, [ebp+InputBufferLength] .text:00011421 and [ebx+18h], edi .text:00011424 mov [ebx+1Ch], eax .text:00011427 jmp @@complete_request ... EVEREST supports functionality that allows to unrestricted I/O access by supplying a specially crafted Irp to the IOCTL handler.
Fixed (restricted access to some I/Os)
... .text:00011D85 @@ioctl_read_port_uchar: .text:00011D85 cmp ecx, edi .text:00011D87 jz @@invalid_parameter .text:00011D8D mov dx, [esi] ; InputBuffer[0] - Port .text:00011D90 in al, dx .text:00011D91 movzx eax, al .text:00011D94 jmp @@save_value ... .text:00011699 @@save_value: .text:00011699 mov [esi+4], eax ; OutputBuffer[1] - Value .text:0001169C .text:0001169C @@set_information2: .text:0001169C mov [ebx+1Ch], ecx .text:0001169F jmp @@set_status ... ... .text:00011D99 @@ioctl_write_port_uchar: .text:00011D99 cmp ecx, edi .text:00011D9B jz @@invalid_parameter .text:00011DA1 mov dx, [esi] ; InputBuffer[0] - Port .text:00011DA4 mov al, [esi+4] ; InputBuffer[1] - Value .text:00011DA7 .text:00011DA7 @@write_port_uchar: .text:00011DA7 out dx, al .text:00011DA8 jmp @@set_information2 ... The device driver fails to validate user-land supplied parameters passed to the IOCTL handler. Since the Irp parameters are not correctly validated, an attacker could utilize vulnerable IOCTLs to cause immediate system crash. ... .text:0001142C @@ioctl_map_io_space: .text:0001142C cmp ecx, edi .text:0001142E jz @@invalid_parameter .text:00011434 mov ecx, [esi+8] ; InputBuffer[2] .text:00011437 mov eax, [esi+4] ; InputBuffer[1] .text:0001143A push edi ; CacheType .text:0001143B push dword ptr [esi] ; NumberOfBytes .text:0001143D push ecx .text:0001143E push eax ; PhysicalAddress .text:0001143F call ds:MmMapIoSpace .text:00011445 cmp eax, edi .text:00011447 mov [ebp+VirtualAddress], eax .text:0001144A jz short @@data_error .text:0001144C push dword ptr [esi] .text:0001144E push eax .text:0001144F push dword ptr [esi+0Ch] .text:00011452 call memcpy .text:00011457 add esp, 0Ch .text:0001145A push dword ptr [esi] .text:0001145C push [ebp+VirtualAddress] .text:0001145F .text:0001145F @@unmap_io_space: .text:0001145F call ds:MmUnmapIoSpace .text:00011465 .text:00011465 @@set_information: .text:00011465 mov eax, [ebp+InputBufferLength] .text:00011468 mov [ebx+1Ch], eax .text:0001146B .text:0001146B @@set_status: .text:0001146B mov [ebx+18h], edi .text:0001146E jmp @@complete_request ...