| Advisory NTIADV0807 | |
| ESET Smart Security (epfw.sys) Privilege Escalation Vulnerability | |
| Vendor | ESET, LLC. |
| Affected Software | ESET Smart Security < = 3.0.672 |
| Affected Driver | Eset Personal Firewall driver - epfw.sys < = 3.0.672.0 |
| Date Reported | 2008-10-10 |
| Release Date | 2008-12-18 |
| Status | Fixed - ESET Smart Security 3.0.684 / ESET Smart Security 4.0 Beta 1 |
| Exploit | Epfw_Exp.zip - Local Privilege Escalation Exploit |
| Disclosure Timeline | 2008-10-10 - Vulnerability reported to vendor 2008-10-15 - Vendor response 2008-12-18 - Update released by the vendor 2008-12-18 - Full technical details released to general public |
| Description | |
| Local exploitation of a design error vulnerability in ESET Smart Security can allow an attacker to execute arbitrary code with kernel privileges. | |
| Details | |
The problem specifically exists within the IOCTL handling code in the epfw.sys device driver. The device driver fails to validate user-land supplied addresses passed to the IOCTL handler function. An attacker can overwrite a user supplied address with a constant double word value by supplying a specially crafted Irp to the IOCTL handler function.
...
.text:000118DE @@ioctl_0x8897229F:
.text:000118DE push 4
.text:000118E0 pop eax
.text:000118E1 cmp [ebp+OutputBufferLength], eax
.text:000118E4 jb @@invalid_parameter
.text:000118EA mov ecx, ebx ; DeviceObject
.text:000118EC mov ecx, [ecx+28h] ; DeviceExtension
.text:000118EF mov ecx, [ecx+60h]
.text:000118F2 mov ebx, [ebp+OutputBuffer]
.text:000118F5 mov [ebx], ecx ; OutputBuffer[0] <- 0xXXXXXXXX
.text:000118F7 mov [edi], eax ; Information
.text:000118F9 mov [esi], edx ; Status
.text:000118FB jmp @@exit
...
|
|