|
Brought to you by:
Suppliers of:
|
|
|
| |
| Klim5.sys is prone to a local privilege escalation due to invalid user-supplied buffer checking. A local attacker can take advantage of this vulnerability to elevate privileges from Guest account to SYSTEM. |
| |
Credit:
The information has been provided by Ruben Santamarta.
The original article can be found at: http://www.wintercore.com/advisories/advisory_W020209.html
|
| |
Klim5.sys driver is in charge of intercepting when a packet arrives or is sent. (Un)fortunately a simple user-mode program can modify some callbacks in klim5.sys to point to a user-mode controlled address, just by sending a specially crafted IOCTL request. Therefore, we face a local privilege escalation. Again.
.text:00011774 cmp ecx, 80052110h ; IOCTL
.text:0001177A jnz short loc_117E9
.text:0001177C cmp ebp, 10h
.text:0001177F jnb short loc_1178E ; FLAW
.text:00011781 push 10h
.text:00011783 mov [esp+14h+Irp], 0C0000023h
.text:0001178B pop ebx
.text:0001178C jmp short loc_117E9
.text:0001178E ;
---------------------------------------------------------------------------
.text:0001178E
.text:0001178E loc_1178E: ; CODE XREF: sub_11730+4Fj
.text:0001178E push offset SpinLock ; SpinLock
.text:00011793 push offset dword_140A8 ; int
.text:00011798 push edi ; int
.text:00011799 call sub_11604 ; Flaw
.text:0001179E add edi, 8
.text:000117A1 push offset dword_140B8 ; SpinLock
.text:000117A6 or eax, 0FFFFFFFFh
.text:000117A9 sub eax, [edi]
.text:000117AB push offset dword_140B0 ; int
.text:000117B0 push edi ; int
.text:000117B1 mov [edi], eax
.text:000117B3 call sub_11604
and finally
.text:000115CB push [ebp+arg_0]
.text:000115CE call dword ptr [edi+8] ; Controlled
Exploit code:
An exploit code can be downloaded from:
http://kartoffel.reversemode.com/downloads.php
|
|
|
|
|
