Microsoft Windows XP/2003 Macrovision SecDrv.sys Privilege Escalation
18 Oct. 2007
Symantec researcher Elia Florip has warned, at the company's weblog of a 0day attack in Windows XP and 2003 that allows unprivileged users to gain SYSTEM privileges via a buggy driver installed by default. The following advisory sheds light on the issue and reveals where the problem is.
In Elia Florip's post, Elia brings us an important clue:"At the moment, it's still not clear how the driver is used by Windows because this file does not have the typical Microsoft file properties present in other Windows system files". Such a file it is not common so looking for this sort of .sys we come across a couple of them. One of those drivers is *secdrv.sys*, which is developed by Macrovision as part of SafeDisc. Mario Ballano (48bits.com) and I we have been taking a look at the driver and quickly found this interesting piece of code.
.text:00015E2C cmp [ebp+var_10], 0CA002813h
.text:00015E33 jz short loc_15E69
As you can see the IOCTL is METHOD_NEITHER which is a potential vulnerability by itself (few drivers are correctly handling this method). Let's see whether this time is different...
No luck. As you can see the buffer supplied by the user is not properly checked so you can overwrite any address you wish, even kernel addresses. Anyway, this piece of code is not very comfortable for developing the exploit since it is overwriting the same buffer that is used as input vector. The ideal situation would be bytes being copied from the input buffer into the output buffer. Surprise, surprise...
The first 4 DWORDs of the input buffer are copied into the output buffer without any further validation. However,there is a restriction: InputBuffer should be a fixed value in order to reach this piece of code. No problem. Take a look at the exploit code.
Reversemode has released a K-plugin for kartoffel that exploits this flaw on Windows XP SP2 and 2003 (32-bit).
Despite there is no patch available, at the moment, we are disclosing this information since an exploit has been caught in the wild so we see no reason to hide information that can be useful for administrators and researchers.