Kaspersky Products klim5.sys Local Privilege Escalation
3 Feb. 2009
Summary
Klim5.sys is prone to a local privilege escalation due to invalid user-supplied buffer checking. A local attacker can take advantage of this vulnerability to elevate privileges from Guest account to SYSTEM.
Klim5.sys driver is in charge of intercepting when a packet arrives or is sent. (Un)fortunately a simple user-mode program can modify some callbacks in klim5.sys to point to a user-mode controlled address, just by sending a specially crafted IOCTL request. Therefore, we face a local privilege escalation. Again.
.text:00011774 cmp ecx, 80052110h ; IOCTL
.text:0001177A jnz short loc_117E9
.text:0001177C cmp ebp, 10h
.text:0001177F jnb short loc_1178E ; FLAW
.text:00011781 push 10h
.text:00011783 mov [esp+14h+Irp], 0C0000023h
.text:0001178B pop ebx
.text:0001178C jmp short loc_117E9
.text:0001178E ;
---------------------------------------------------------------------------
.text:0001178E
.text:0001178E loc_1178E: ; CODE XREF: sub_11730+4Fj
.text:0001178E push offset SpinLock ; SpinLock
.text:00011793 push offset dword_140A8 ; int
.text:00011798 push edi ; int
.text:00011799 call sub_11604 ; Flaw
.text:0001179E add edi, 8
.text:000117A1 push offset dword_140B8 ; SpinLock
.text:000117A6 or eax, 0FFFFFFFFh
.text:000117A9 sub eax, [edi]
.text:000117AB push offset dword_140B0 ; int
.text:000117B0 push edi ; int
.text:000117B1 mov [edi], eax
.text:000117B3 call sub_11604
