CA Internet Security Suite 2010 – ‘KmxSbx.sys’ Kernel Pool Overflow

  • 作者: Nikita Tarakanov
    日期: 2010-11-28
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/15624/
  • /*
    # Exploit Title: CA Internet Security Suite 2010 KmxSbx.sys Kernel Pool 
    Overflow 0-day Exploit
    # Date: 2010-11-28
    # Author: Nikita Tarakanov (CISS Research Team)
    # Software Link: 
    http://shop.ca.com/ca/products/internetsecurity/internetsecurity_suite.asp
    # Version: up to date, KmxSbx.sys version 6.2.0.22
    # Tested on: Win XP SP3
    # CVE : CVE-NO-MATCH
    # Status : Unpatched
    */
    
    1.Description:
    
    The KmxSbx.sys kernel driver distributed with CA Security Suite contains 
    a pool corruption vulnerability in the handling of IOCTL 0x88000080.
    Exploitation of this issue allows an attacker to execute arbitrary code 
    within the kernel.
    An attacker would need local access to a vulnerable computer to exploit 
    this vulnerability.
    
    
    
    Affected application: CA Internet Security Suite 2010.
    Affected file: KmxSbx.sys version 6.2.0.22.
    
    2.Vulnerability details:
    
    
    [..]
    
    .text:00016330 mov cx, [eax] ; eax points to 
    attacker controlled data
    .text:00016333 inc eax
    .text:00016334 inc eax
    .text:00016335 testcx, cx
    .text:00016338 jnz short loc_16330
    .text:0001633A sub eax, edx
    .text:0001633C sar eax, 1
    .text:0001633E lea eax, [eax+eax+50h] ; size of 
    UNICODE string + 0x50 bytes
    .text:00016342 movzx edi, ax ; integer wrap here!
    .text:00016345
    .text:00016345 loc_16345:; CODE XREF: 
    sub_162D8+53j
    .text:00016345 movzx eax, di
    .text:00016348 pushebx
    .text:00016349 xor ebx, ebx
    .text:0001634B cmp eax, ebx
    .text:0001634D jzshort loc_16359
    .text:0001634F pusheax ; NumberOfBytes
    .text:00016350 pushebx ; PoolType
    .text:00016351 callds:ExAllocatePool ; Miscalculated 
    Pool!!!
    .text:00016357 mov ebx, eax
    
    [..]
    
    .text:000163A6 movzx esi, word ptr [edx]
    .text:000163A9 mov [eax+edx], si ; Pool overflow here!
    .text:000163AD inc edx
    .text:000163AE inc edx
    .text:000163AF testsi, si
    
    
    
    
    3.Exploitation:
    
    
    1.To exploit this vulnerability we have to allocate shellcode at some 
    address, craft fake chunk header, that creates write4 primitive.
    2.To invoke our shellcode we have to set such values in Flink,Blink, 
    that points to some pointer in kernel space, and address of our r0 
    shellcode.When unlinking happens, we overwrite pointer in kernel space, 
    and force execution with kernel priviligies(cpl==0).
    *3.Pool repair
    
    Exploit code is in CAInternetSecuritySuite2010.zip file.
    
    https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15624.zip (CAInternetSecuritySuite2010.zip)