Advisory NTIADV0901
ESET Smart Security & ESET NOD32 Antivirus (eamon.sys) Multiple Vulnerabilities
VendorESET, spol. s r.o.
Affected SoftwareESET Smart Security < 4.0.467
ESET NOD32 Antivirus < 4.0.467
Affected DriverAmon monitor - eamon.sys < 4.0.467
Date Reported2009-03-12
Release Date2009-09-29
StatusFixed - ESET NOD32 Antivirus 4 Version: 4.0.467 - ESET Smart Security 4 Version: 4.0.467
ExploitEamon_Exp.zip - Local Privilege Escalation Exploit
Disclosure Timeline 2009-03-12 - Vulnerability reported to vendor
2009-03-15 - Vendor response
2009-05-23 - Status update request
2009-05-25 - Vendor response
2009-06-02 - Vulnerability reported to vendor a second time
2009-06-03 - Vendor asked for more details
2009-06-04 - Detailed information sent to vendor
2009-09-23 - Update released by the vendor
2009-09-29 - Full technical details released to general public
Description
ESET products are prone to a local privilege escalation vulnerabilities that occurs in the eamon.sys driver.
Details
The vulnerability is caused due to the IOCTL handler of the eamon.sys driver improperly processing user space parameters. This can be exploited to overwrite an arbitrary address and execute arbitrary code in kernel space via a specially crafted IOCTLs. The limitation of these vulnerabilities is that only an Administrator can obtain handle of Eamon device. 

		...
		.text:00016523 @@ioctl_0x88770030:
		.text:00016523                 cmp     dword ptr [ebp+14h], 4         ; InputBufferLength
		.text:00016527                 jb      short @@invalid_device_request
		.text:00016529                 mov     eax, [ebp+10h]                 ; SystemBuffer
		.text:0001652C                 mov     eax, [eax]                     ; eax <- InputBuffer[0]
		.text:0001652E                 mov     [ebp-4], ebx
		.text:00016531                 mov     edi, [eax]                     ; eax <- [0xXXXXXXXX]
		.text:00016533                 mov     edx, 'FNEX'
		.text:00016538                 cmp     edi, edx
		.text:0001653A                 jnz     short @@set_output_buffer
		.text:0001653C                 mov     ecx, [eax+4]                   ; !!!
		.text:0001653F                 lea     ebx, [ecx+ecx+2]
		.text:00016543                 cmp     ebx, [ebp+1Ch]
		.text:00016546                 ja      short @@clear_ebx
		.text:00016548                 cmp     ecx, 80E8h
		.text:0001654E                 ja      short @@clear_ebx
		.text:00016550                 mov     ecx, [eax+8]                   ; !!!
		.text:00016553                 mov     edx, [ebp+18h]
		.text:00016556
		.text:00016556 @@loop:
		.text:00016556                 movzx   eax, word ptr [ecx]            ; !!!
		.text:00016559                 mov     [edx], ax
		.text:0001655C                 inc     ecx
		.text:0001655D                 inc     ecx
		.text:0001655E                 inc     edx
		.text:0001655F                 inc     edx
		.text:00016560                 test    ax, ax
		.text:00016563                 jnz     short @@loop
		...
		

		...
		.text:00016642 @@ioctl_0x88770048:
		.text:00016642                 mov     esi, [ebp+10h]                 ; SystemBuffer
		.text:00016645                 cmp     esi, ebx
		.text:00016647                 jz      short @@set_var
		.text:00016649                 cmp     dword ptr [ebp+14h], 0Ch       ; InputBufferLength
		.text:0001664D                 jb      short @@set_var
		.text:0001664F                 call    ds:PsGetCurrentThreadId
		.text:00016655                 mov     ecx, [esi+8]                   ; SystemBuffer[2]
		.text:00016658                 mov     data_section[ecx*4], eax
		.text:0001665F                 jmp     short @@end
		...
Copyright © 2oo8-2oo9 NT Internals. All rights reserved.