Advisory NTIADV0810 (Accelerated Disclosure)
PowerStrip (pstrip.sys) Privilege Escalation Vulnerability
VendorEnTech Taiwan
Affected SoftwarePowerStrip < = 3.84
Affected DriverPowerStrip support NT kernel-mode driver - pstrip.sys < = 5.0.1.1
Date Reported2008-11-20
Release Date2008-12-20
StatusNot fixed
ExploitPowerStrip_Exp.zip - Local Privilege Escalation Exploit
Disclosure Timeline2008-11-20 - Vulnerability reported to vendor
2008-11-24 - Vendor notified a second time
2008-12-20 - Full technical details released to general public
Description
PowerStrip is prone to a local privilege escalation vulnerability. An attacker can exploit this issue to execute arbitrary code with kernel-level privileges.
Details
The problem specifically exists because the driver (pstrip.sys) allows untrusted user mode code to pass kernel addresses as arguments to the driver. Since the Irp parameters are not correctly validated, an attacker could utilize vulnerable IOCTL (0x800020A8) to overwrite arbitrary memory with the constant LONGLONG value of 0x00. Once loaded, the vulnerable kernel module will be accessible by all users, and will remain loaded until the system is rebooted. The driver is automatically loading after system reboot.

PowerStrip supports functionality that allows to unrestricted I/O access by supplying a specially crafted Irp to the IOCTL handler. 

		.text:00010B04 ; int __stdcall IOCTL_800020A8(int SystemBuffer)
		.text:00010B04 IOCTL_800020A8 proc near
		.text:00010B04
		.text:00010B04 SystemBuffer = dword ptr 8
		.text:00010B04
		.text:00010B04                 push    esi
		.text:00010B05                 mov     esi, [esp+SystemBuffer]
		.text:00010B09                 push    dword ptr [esi+4]              ; Address
		.text:00010B0C                 mov     ax, [esi+2]
		.text:00010B10                 push    eax                            ; Flag
		.text:00010B11                 call    Overwrite
		.text:00010B16                 push    dword ptr [esi+8]              ; Address
		.text:00010B19                 mov     ax, [esi]
		.text:00010B1C                 push    eax                            ; Flag
		.text:00010B1D                 call    Overwrite
		.text:00010B22                 pop     esi
		.text:00010B23                 retn    4
		.text:00010B23 IOCTL_800020A8 endp
		

		.text:00010AEE ; int __stdcall Overwrite(__int16 Flag,int Address)
		.text:00010AEE Overwrite proc near
		.text:00010AEE
		.text:00010AEE Flag = word ptr 4
		.text:00010AEE Address = dword ptr 8
		.text:00010AEE
		.text:00010AEE                 cmp     [esp+Flag], 0
		.text:00010AF4                 jz      short @@exit
		.text:00010AF6                 push    edi
		.text:00010AF7                 mov     edi, [esp+4+Address]
		.text:00010AFB                 xor     eax, eax
		.text:00010AFD                 stosd                                  ; Overwriteing 2 ULONGs
		.text:00010AFE                 stosd
		.text:00010AFF                 pop     edi
		.text:00010B00
		.text:00010B00 @@exit:
		.text:00010B00                 retn    8
		.text:00010B00 Overwrite endp
Copyright © 2oo8-2oo9 NT Internals. All rights reserved.