| Advisory NTIADV1001 | |
| RISING Antivirus 2010 Privilege Escalation Vulnerability | |
| Vendor | Beijing Rising International Software Co.,Ltd. |
| Affected Software | RISING Antivirus 2010 < 22.0.3.54 |
| Affected Driver | RsAssist.sys < 1.0.0.4 |
| Date Reported | 2010-01-28 |
| Release Date | 2010-04-22 |
| Status | Fixed - RISING Antivirus 2010 22.0.3.54 |
| Exploit | RsAssist_Exp.zip - Local Privilege Escalation Exploit (unavailable) |
| Disclosure Timeline |
2010-01-28 - Vulnerability reported to vendor 2010-01-29 - Vendor response 2010-01-29 - Detailed information sent to vendor 2010-01-29 - Vendor response 2010-01-30 - Vendor released first incomplete update 2010-01-30 - Additional information sent to vendor 2010-01-30 - Vendor response 2010-01-30 - Sectond additional information sent to vendor 2010-02-07 - Vendor relased fixed version 2010-04-22 - Full technical details released to general public |
| Description | |
Kernel module RsAssist.sys shipped with RISING Antivirus 2010 contains vulnerabilities in the code that handles IOCTL requests. Local exploitation of multiple vulnerabilities allow an attacker to execute arbitrary code in kernel context. All users can obtain handle of unprotected device "\\Device\\RsAssist" and exploit vulnerable function handling IOCTL requests.
.text:0001065C ; int __stdcall DeviceDispatch(int DeviceObject, PIRP Irp)
.text:0001065C DeviceDispatch proc near
.text:0001065C
.text:0001065C ProcessId = dword ptr -0Ch
.text:0001065C ObjectHandle = dword ptr -8
.text:0001065C NtStatus = dword ptr -4
.text:0001065C DeviceObject = dword ptr 8
.text:0001065C Irp = dword ptr 0Ch
.text:0001065C
.text:0001065C push ebp
.text:0001065D mov ebp, esp
.text:0001065F sub esp, 0Ch
.text:00010662 push ebx
.text:00010663 push esi
.text:00010664 mov esi, [ebp+Irp] ; Irp
.text:00010667 mov eax, [esi+60h] ; Irp->IoStackLocation
.text:0001066A mov ecx, [eax+10h] ; Type3InputBuffer
.text:0001066D xor ebx, ebx
.text:0001066F mov [esi+1Ch], ebx ; IoStatusBlock->Information = 0
.text:00010672 mov [esi+18h], ebx ; IoStatusBlock->Status = STATUS_SUCCESS
.text:00010675 cmp dword ptr [eax+0Ch], 8400FC03h ; IoControlCode
.text:0001067C push edi
.text:0001067D mov edi, [esi+3Ch] ; UserBuffer
.text:00010680 mov [ebp+NtStatus], ebx
.text:00010683 jnz short __complete_request
.text:00010685 cmp dword ptr [eax+8], 8 ; InputBufferLength
.text:00010689 jnz short __set_status_unsuccessful
.text:0001068B cmp dword ptr [eax+4], 4 ; OutputBufferLength
.text:0001068F jnz short __set_status_unsuccessful
.text:00010691 cmp ecx, ebx
.text:00010693 jz short __set_status_unsuccessful
.text:00010695 cmp edi, ebx
.text:00010697 jz short __set_status_unsuccessful
.text:00010699 mov eax, [ecx] ; eax <- InputBuffer[0]
.text:0001069B mov [ebp+ProcessId], eax
.text:0001069E mov eax, [ecx+4] ; eax <- InputBuffer[1]
.text:000106A1 mov ecx, P
.text:000106A7 mov [ebp+ObjectHandle], eax
.text:000106AA lea eax, [ebp+Irp]
.text:000106AD push eax ; Irp
.text:000106AE lea eax, [ebp+ProcessId]
.text:000106B1 push eax ; Structure
.text:000106B2 mov [ebp+Irp], ebx
.text:000106B5 call GetProcessExitStatus
.text:000106BA test al, al
.text:000106BC jz short __set_status_unsuccessful
.text:000106BE mov eax, [ebp+Irp]
.text:000106C1 mov dword ptr [esi+1Ch], 4 ; IoStatusBlock->Information = 4
.text:000106C8 mov [edi], eax ; UserBuffer[0] <- 1
.text:000106CA jmp short __complete_request
...
| |