Advisory NTIADV0813
Microsoft LiveKd (LiveKdd.sys) Privilege Escalation Vulnerability
VendorMicrosoft Corporation
Affected SoftwareSysinternals LiveKd < = 3.0
Affected DriverLiveKd file system filter - LiveKdd.sys < = 3.0.0.0
Date Reported2008-12-23
Release Date2010-07-31
StatusFixed - LiveKd v4.0
ExploitLiveKdd_Exp.zip - Local Privilege Escalation Exploit (unavailable)
Disclosure Timeline 2008-12-23 - Vulnerability reported to vendor
2009-01-10 - Vendor response
2009-01-22 - Vendor provides status update
2009-02-10 - Vendor provides status update
2009-05-22 - Vendor provides status update
2009-07-13 - Vendor provides status update
2009-08-11 - Vendor provides status update
2009-10-01 - Vendor releases update - v3.1
2010-03-03 - Vendor releases update - v3.14
2010-04-28 - Vendor releases update - v4.0
2010-07-31 - Full technical details released to general public
Description
By passing a specially crafted Irp structure to the affected IOCTL (0x23450000) handler, attackers can cause the driver to execute arbitrary code via a CALL instruction using user supplied data. In order to exploit this vulnerability, an Administrator must launch the LiveKd application, which will load the LiveKdd.sys driver into the kernel. Once loaded, the vulnerable kernel module will be accessible by all users, and will remain loaded until the system is rebooted.
Details


		...
		.text:80000B78                 mov     edi, [ebx+1Ch]                 ; InputBuffer[7] == CallRing0
		.text:80000B7B                 mov     eax, [ebx+20h]                 ; InputBuffer[8] == CallRing0
		.text:80000B7E                 mov     [ebp+Call], eax
		.text:80000B81                 mov     eax, ds:_KeNumberProcessors
		.text:80000B86                 mov     al, [eax]
		.text:80000B88                 mov     [ebp+NumberProcessors], al
		...
		.text:80000BBF                 lea     esi, [eax+1Ch]                 ; InputBuffer[7]
		.text:80000BC2                 push    esi
		.text:80000BC3                 call    edi                            ; CallRing0
		.text:80000BC5                 push    esi
		.text:80000BC6                 call    [ebp+Call]                     ; CallRing0
		...
		.text:80000BEB                 lea     eax, [ebx+28h]                 ; InputBuffer[10]
		.text:80000BEE                 push    eax
		.text:80000BEF                 call    edi
		.text:80000BF1                 mov     eax, cr3
		.text:80000BF4                 mov     _DirectoryTableBase, eax
		.text:80000BF9                 mov     eax, _DirectoryTableBase
		.text:80000BFE                 mov     [ebx+24h], eax                 ; OutputBuffer[9] <- cr3
		...
Copyright © 2oo8-2o1o NT Internals. All rights reserved.