Advisory NTIADV0905
Panda (RKPavProc.sys) Local Kernel Stack Corruption
VendorPanda Security, S.L.
Affected SoftwarePanda Global Protection 2010 < 3.00.00
Panda Internet Security 2010 < 15.00.00
Panda Antivirus Pro 2010 < 09.00.00
Panda Antivirus for Netbooks < 09.00.00
Panda Cloud Antivirus < Beta 3
Panda Anti-Rootkit
Affected DriverAnti-malware Driver Support - RKPavProc.sys < 1.0.10.0
Date Reported2009-09-02
Release Date2010-07-06
StatusFixed - Security vulnerability affecting parameter checks
ExploitRKPavProc_Exp.zip - Local Privilege Escalation Exploit (unavailable)
Disclosure Timeline 2009-09-02 - Vulnerability reported to vendor
2009-09-29 - Vendor notified a second time
2009-09-29 - Vendor response
2009-10-03 - Vendor confirmed the vulnerability
2010-06-27 - Status update request
2010-06-27 - Vendor response
2010-07-01 - Update released by the vendor
2010-07-06 - Full technical details released to general public
Description
The kernel driver RKPavProc.sys shipped with Panda contains a vulnerability in the code that handles IOCTL (0x1FA50004, 0x1FA50010) requests. Once loaded, the vulnerable kernel module will be accessible by all users, and will remain loaded until the system is rebooted.
Details
The driver supports functionality that allows to reference any process object (1.0.5.0) or NULL pointer dereferences (1.0.8.0) by supplying a specially crafted Irp to the IOCTL handler. Second vulnerability is caused due to an improper validation of the input buffer length in the RKPavProc.sys device driver. This can be exploited to overwrite kernel stack and execute arbitrary code with elevated privileges.

Anti-malware Driver Support - RKPavProc.sys == 1.0.5.0

		...
		.text:00010D66 @@ioctl_reference_process:
		.text:00010D66    cmp     ecx, edi				; InputBufferLength == 0x04 ??
		.text:00010D68    jnz     @@invalid_parameter
		.text:00010D6E    cmp     esi, edi				; OutputBufferLength == 0x04 ??
		.text:00010D70    jnz     @@invalid_parameter
		.text:00010D76    mov     eax, [ebx+0Ch]			; InputBuffer
		.text:00010D79    push    eax
		.text:00010D7A    push    dword ptr [eax]			; ProcessId <- InputBuffer[0]
		.text:00010D7C    call    LookupProcessByProcessId
		.text:00010D81    mov     [ebp+Status], eax
		.text:00010D84    mov     [ebx+1Ch], edi			; IoStatus->Information = 0x04
		.text:00010D87    jmp     @@complete_request
		...
		.text:00011196 LookupProcessByProcessId proc near
		.text:00011196    push    ebp
		.text:00011197    mov     ebp, esp
		.text:00011199    pop     ebp
		.text:0001119A    jmp     ds:PsLookupProcessByProcessId
		.text:0001119A LookupProcessByProcessId endp

		...
		.text:00010DD2 @@ioctl_stack_overflow:
		.text:00010DD2    cmp     ecx, edx				; InputBufferLength == 0 ??
		.text:00010DD4    jz      short @@invalid_parameter
		.text:00010DD6    cmp     esi, edx				; OutputBufferLength == 0 ??
		.text:00010DD8    jz      short @@invalid_parameter
		.text:00010DDA    mov     esi, [ebx+0Ch]			; InputBuffer
		.text:00010DDD    mov     eax, ecx
		.text:00010DDF    shr     ecx, 2
		.text:00010DE2    lea     edi, [ebp+LocalBuffer]
		.text:00010DE5    rep movsd
		...

Anti-malware Driver Support - RKPavProc.sys <= 1.0.9.0

		...
		.text:0001068B @@ioctl_dereference_null_object:
		.text:0001068B    cmp     ecx, edx				; InputBufferLength == 0x04 ??
		.text:0001068D    jnz     @@set_information
		.text:00010693    mov     eax, [esi+0Ch]			; SystemBuffer
		.text:00010696    push    eax
		.text:00010697    push    dword ptr [eax]			; ProcessId <- InputBuffer[0]
		.text:00010699    call    DereferenceNullObject
		.text:0001069E    jmp     short @@set_status
		...
		.text:00010AC0 DereferenceNullObject proc near
		.text:00010AC0
		.text:00010AC0 ProcessId = dword ptr 8
		.text:00010AC0 ProcessObject = dword ptr 0Ch
		.text:00010AC0
		.text:00010AC0    mov     edi, edi
		.text:00010AC2    push    ebp
		.text:00010AC3    mov     ebp, esp
		.text:00010AC5    push    esi
		.text:00010AC6    push    [ebp+ProcessObject]
		.text:00010AC9    push    [ebp+ProcessId]
		.text:00010ACC    call    ds:PsLookupProcessByProcessId
		.text:00010AD2    mov     ecx, [ebp+ProcessObject]
		.text:00010AD5    mov     esi, eax
		.text:00010AD7    call    ds:ObfDereferenceObject
		.text:00010ADD    mov     eax, esi
		.text:00010ADF    pop     esi
		.text:00010AE0    pop     ebp
		.text:00010AE1    retn    8
		.text:00010AE1 DereferenceNullObject endp

		...
		.text:000106D8 @@ioctl_stack_overflow:
		.text:000106D8    test    ecx, ecx
		.text:000106DA    jz      short @@set_information
		.text:000106DC    push    ecx					; InputBufferLength
		.text:000106DD    push    dword ptr [esi+0Ch]			; InputBuffer
		.text:000106E0    lea     eax, [ebp+LocalBuffer]
		.text:000106E3    push    eax					; Destination
		.text:000106E4    call    memcpy
		...
Copyright © 2oo8-2o1o NT Internals. All rights reserved.