Tried, Tested and Proven

Vulnerability title: Privilege Escalation in K7 Computing Multiple Products [K7Sentry.sys]

CVE: CVE-2014-8956
Vendor: K7 Computing
Product: Multiple Products [K7Sentry.sys]
Affected version: 12.8.0.110
Fixed version: 12.8.0.119
Reported by: Kyriakos Economou

Details:

Latest, and possibly earlier versions of K7Sentry.sys kernel mode driver, also named as K7AV Sentry DeviceDriver, suffers from a Out-of-bounds Write condition that can be exploited locally by an attacker in order to execute code with kernel privileges. Successful exploitation of this bug results into vertical privilege escalation.

Technical Details:

The function handling IOCTL 0x9500259C does not validate the size of the input before start copying the data into a statically allocated array inside the driver module itself in the .data section at address K7Sentry + 0xdaec8.

b9d05da0 837e0404 cmp dword ptr [esi+4],4 <--- check if input buffer size < 4
b9d05da4 7233 jb K7Sentry+0x9dd9
b9d05da6 8b4608 mov eax,dword ptr [esi+8] <--- get address of input buffer
b9d05da9 85c0 test eax,eax <--- validate there is an input buffer allocated
b9d05dab 742c je K7Sentry+0x9dd9 (b9d05dd9)
b9d05dad bac86eddb9 mov edx,offset K7Sentry+0xdaec8 <--- get address of array in .data section
b9d05db2 2bd0 sub edx,eax
b9d05db4 8a08 mov cl,byte ptr [eax] <--- read each byte from input
b9d05db6 880c02 mov byte ptr [edx+eax],cl <--- write each byte to array
b9d05db9 40 inc eax <--- increment index
b9d05dba 84c9 test cl,cl <--- check for '/x00'
b9d05dbc 75f6 jne K7Sentry+0x9db4 <--- if '/x00' not found loop again
b9d05dbe 837e0c04 cmp dword ptr [esi+0Ch],4
b9d05dc2 7212 jb K7Sentry+0x9dd6
b9d05dc4 8b4610 mov eax,dword ptr [esi+10h]
b9d05dc7 8b4e14 mov ecx,dword ptr [esi+14h]
b9d05dca c70001000000 mov dword ptr [eax],1
b9d05dd0 c70104000000 mov dword ptr [ecx],4
b9d05dd6 33c0 xor eax,eax
b9d05dd8 c3 ret
b9d05dd9 b8010000c0 mov eax,0C0000001h
b9d05dde c3 ret

As shown above, this function will keep copying data to an array allocated in .data section of the driver which has a size of 0×800 bytes, until it finds a NULL byte which defines the end of an ascii string, just like an inlined strcpy function. Since the function does not validate further the size of the data to copy against the size of the array, we are able to keep copying data that we fully control and overwrite other data and function pointers used by other functions.

Impact:

This vulnerability could allow a malicious attacker to execute code as SYSTEM.

Exploit:

The proof of concept exploit is available.

Remediation:

Update the K7FWFilt.sys driver to the latest version.


Vendor status:

11/09/2014 Advisory created
17/09/2014 Vendor contacted
13/10/2014 Vendor working on a fix
11/11/2014 Fix released
24/11/2014 CVE obtained
05/12/2014 Published
Copyright:

Copyright © Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.