| Advisory NTIADV0903 | |
| Radix Antirootkit Multiple Privilege Escalation Vulnerabilities | |
| Vendor | Usec.at |
| Affected Software | Radix Antirootkit < 1.0.0.9 |
| Affected Driver | SDTHLPR.sys |
| Date Reported | 2009-05-20 |
| Release Date | 2009-08-21 |
| Status | Partially Fixed Radix 1.0.0.9 released radix_installer.zip |
| Exploit | SdtHelper_Exp - Local Privilege Escalation Exploit |
| Disclosure Timeline |
2009-05-20 - Vulnerability reported to vendor 2009-05-21 - Vendor response 2009-08-21 - Full technical details released to general public |
| Description | |
| Radix Antirootkit is prone to local privilege escalation vulnerabilities that occurs in the SDTHLPR.sys driver. | |
| Details | |
| The vulnerability is caused due to the IOCTL handler of the SDTHLPR.sys driver improperly processing user space parameters. The problem specifically exists because the driver (SDTHLPR.sys) allows untrusted user mode code to pass kernel addresses as arguments to the driver. This can be exploited to overwrite an arbitrary address and execute arbitrary code in kernel space via a specially crafted IOCTLs. | |
| Update | |
In latest version (1.0.0.9) there are implemented some restrictions that only administrator users have access to the device object.
...
.text:00010B96 sub eax, 2240B8h
.text:00010B9B jz short @@ioctl_2240B8
.text:00010B9D sub eax, 4
.text:00010BA0 jz short @@ioctl_2240BC
.text:00010BA2 sub eax, 4
.text:00010BA5 jnz @@invalid_parameter ; IOCTL 2240C0
.text:00010BAB push 0
.text:00010BAD push dword ptr [edi+4] ; InputBuffer[1]
.text:00010BB0 call dword ptr [edi] ; call InputBuffer[0]
.text:00010BB2 jmp @@set_status
...
| |