Advisory NTIADV0805
RISING Antivirus 2008/2009/2010 Multiple Privilege Escalation Vulnerabilities
VendorBeijing Rising International Software Co.,Ltd.
Affected SoftwareRISING Antivirus 2008/2009/2010
Affected DriverHookCont - HookCont.sys
HookNtos - HookNtos.sys
HookReg - HOOKREG.sys
Hooksys - HookSys.sys
Date Reported2008-09-30
Release Date2010-01-22
StatusPartially Fixed - restricted access to vulnerable devices
ExploitHookXx_Exp.zip - Local Privilege Escalation Exploit (unavailable)
Disclosure Timeline 2008-09-30 - Vulnerability reported to vendor
2008-10-09 - Vendor response
2008-10-11 - PoC Exploit sent to vendor
2008-10-13 - Vendor response
2008-11-20 - Status update request
2009-04-20 - Status update request (Second vulnerability reported to vendor)
2010-01-22 - Full technical details released to general public
Description
All device drivers (except HookHelp.sys) shipped with RISING Antivirus 2008/2009/2010 contains vulnerabilities in the code that handles IOCTL requests. Local exploitation of multiple vulnerabilities allow an attacker to execute arbitrary code in kernel context.
Details
Device drivers fail to validate user supplied addresses passed to IOCTL handler functions. The IOCTL 0x83003C07 provide one of the easiest way to exploit these vulnerabilities. If the user passed handle will be incorrect, the user supplied output buffer address will be overwritten with the constant double-word value of 0x00000000. All mentioned device drivers has similar IOCTL's and vulnerabilities. 


		...
		.text:00010B2F @@ioctl_0x83003C07:
		.text:00010B2F                 mov     ecx, SomeStruct
		.text:00010B35                 cmp     byte ptr [ecx+202Ch], 0
		.text:00010B3C                 jnz     short @@status_unsuccessful
		.text:00010B3E                 cmp     ebx, 4                         ; OutputBufferLength
		.text:00010B41                 jb      short @@status_unsuccessful
		.text:00010B43                 push    dword ptr [edx]                ; InputBuffer[0] - Handle
		.text:00010B45                 call    ReferenceObjectByHandle
		.text:00010B4A                 test    eax, eax
		.text:00010B4C                 mov     [edi], eax                     ; UserBuffer - eax
		.text:00010B4E                 jnz     short @@set_information
		.text:00010B50                 mov     [ebp+Information], STATUS_UNSUCCESSFUL
		.text:00010B57                 jmp     short @@exit
		...
		

		.text:00010502 ReferenceObjectByHandle proc near
		.text:00010502
		...
		.text:0001051B                 push    ebx                            ; HandleInformation
		.text:0001051C                 push    esi                            ; Object
		.text:0001051D                 push    ebx                            ; AccessMode
		.text:0001051E                 push    ebx                            ; ObjectType
		.text:0001051F                 push    10000000h                      ; DesiredAccess
		.text:00010524                 push    [esp+18h+Handle]               ; Handle
		.text:00010528                 call    ds:ObReferenceObjectByHandle
		.text:0001052E                 test    eax, eax
		.text:00010530                 jge     short @@object_referenced
		.text:00010532                 xor     eax, eax
		.text:00010534                 jmp     @@exit
		...
Copyright © 2oo8-2oo9 NT Internals. All rights reserved.