| Advisory NTIADV0806 | |
| Online Armor (OAmon.sys) Multiple Privilege Escalation Vulnerabilities | |
| Vendor | Tall Emu Pty Ltd |
| Affected Software | Online Armor Personal Firewall v3.5 < v3.5.0.12 Online Armor Personal Firewall AV+ < v3.5.0.12 |
| Affected Driver | TDI Helper Driver - OAmon.sys < = 3.1.0.0 |
| Date Reported | 2008-10-04 |
| Release Date | 2009-06-04 |
| Status | Fixed Online Armor Personal Firewall v3.5 (v3.5.0.14) Online Armor Personal Firewall AV+ |
| Exploit | OAmon_Exp.zip - Local Privilege Escalation Exploit |
| Disclosure Timeline | 2008-10-04 - Vulnerability reported to vendor 2008-10-04 - Vendor response 2008-10-09 - Partial update released by the vendor 2008-10-11 - Vulnerability reported to vendor a second time 2008-10-11 - Vendor response 2009-04-20 - Status update request 2009-04-20 - Vendor response 2009-04-27 - Update released by the vendor 2009-06-04 - Full technical details released to general public |
| Description | |
| Local exploitation of a design error vulnerability in Online Armor Personal Firewall could allow attackers to execute arbitrary kernel code. | |
| Details | |
The vulnerability specifically exists due to improper address space validation when the OAmon device driver process IOCTLs. All IOCTLs are generated as METHOD_NEITHER. The OAmon.sys device driver provides functionality that allows an unprivileged user to write arbitrary data to arbitrary addresses.
...
.text:00013E8D @@ioctl_830020C3:
.text:00013E8D mov eax, [ebp+OutputBuffer] ; UserBuffer
.text:00013E90 mov dword ptr [eax], 1 ; UserBuffer[0] = 1
.text:00013E96 mov eax, edi
.text:00013E98 mov dword ptr [eax], 4
.text:00013E9E jmp @@return_false
...
| |