Vulnerability title: Privilege Escalation in Panda Security
CVE: CVE-2014-5307
Vendor: Panda Security
Product: Multiple
Affected version: Panda 2014 Products
Fixed version: Hotfix hft131306s24_r1
Reported by: Kyriakos Economou
Details:
Latest, and possibly earlier builds, of the PavTPK.sys kernel mode driver of Panda Security software suffers from a heap overflow bug that allows any user to elevate their privileges through an IOCTL request and execute code as SYSTEM by controlling the EIP via a corrupted kernel object.
Upon unsuccessful exploitation the system will crash with a BSoD.
This driver is loaded into kernel memory during boot time and stays resident without touching the disk later.
All Panda Security products using the faulty driver were foujnd to be vulnerable.
Technical Details:
By using IOCTL 0Ã222008 with a crafted input buffer, the following block of instructions is reached. This is the first part of the cause that leads to the heap overflow bug, because any process can easily manipulate information in its own Process Environment Block structure (PEB).
However, the root cause of the heap overflow will be examined later.
Read Information from PEB:
80536bf0 89448fe4 mov dword ptr [edi+ecx*4-1Ch],eax
80536bf4 8b448ee8 mov eax,dword ptr [esi+ecx*4-18h]
80536bf8 89448fe8 mov dword ptr [edi+ecx*4-18h],eax
80536bfc 8b448eec mov eax,dword ptr [esi+ecx*4-14h]
80536c00 89448fec mov dword ptr [edi+ecx*4-14h],eax
80536c04 8b448ef0 mov eax,dword ptr [esi+ecx*4-10h]
80536c08 89448ff0 mov dword ptr [edi+ecx*4-10h],eax
80536c0c 8b448ef4 mov eax,dword ptr [esi+ecx*4-0Ch]
80536c10 89448ff4 mov dword ptr [edi+ecx*4-0Ch],eax
80536c14 8b448ef8 mov eax,dword ptr [esi+ecx*4-8]
80536c18 89448ff8 mov dword ptr [edi+ecx*4-8],eax
80536c1c 8b448efc mov eax,dword ptr [esi+ecx*4-4];ds:0023:7ffdd010=00360000
80536c20 89448ffc mov dword ptr [edi+ecx*4-4],eax
The PRTL_USER_PROCESS_PARAMETERS pointer(in bold) inside the PEB structure can be manipulated so that it points to a location that contains data that an attacker fully controls.
In the example above, we have hijacked the pointer with another pointing to 0Ã00360000, so the driver will use that one later.
At our buffer+0Ã38 we can set the value size used to allocate memory through a call to ExAllocatePoolWithTag.
In this case at address 0Ã00360038 we can write a DWORD, for example 0Ã41412020, but only the low WORD is taken in consideration for memory allocation.
So we can copy 0Ã2020 bytes of data we control there. This data will overflow a heap buffer later used by the driver which is always of size 0Ã1004.
Further manipulation of that buffer is needed, but this information is not necessary in order to explain the vulnerability as shown below.
b70b8339 6800100000 push 1000h
b70b833e 6a00 push 0
b70b8340 56 push esi
b70b8341 e800370000 call PavTPK!GetThreads+0x3a28 <--- zero out dest buf (Total size 0x1004)
b70b8346 0fb745c0 movzx eax,word ptr [ebp-40h] <-- read our value 0x2020
b70b834a d1e8 shr eax,1 <-- divide by two to copy data per WORD size
b70b834c 50 push eax
b70b834d ff75c4 push dword ptr [ebp-3Ch]
b70b8350 56 push esi
b70b8351 ff1524d00bb7 call dword ptr [PavTPK!GetThreads+0x5006 (b70bd024)] ds:0023:b70bd024={nt!wcsncpy (80537f29)} <--- heap overflow since destination buffer is smaller than the data copied
Impact:
This vulnerability results in local privilege escalation.
Exploit:
The proof of concept exploit is available.
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5307/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.