[guru] CA biztonsagi frissitesek
DATE: Tue, 26 Aug 2008 16:42:41 +0200
Kód futtatási lehetőséget találtak a CA Host-Based Intrusion Prevention
System kmxfw.sys eszközmeghajtójában. Mivel a buffer overflow hibák az
ioctl() hívást kezelő kernel kódban találhatóak, ezért nagyon veszélyesek.
--- Begin Message ---
Title: CA Host-Based Intrusion Prevention System SDK kmxfw.sys
Multiple Vulnerabilities
CA Advisory Date: 2008-08-11
Reported By:
CVE-2008-2926 - Tobias Klein
CVE-2008-3174 - Elazar Broad
Impact: A remote attacker can cause a denial of service or
possibly execute arbitrary code.
Summary: CA Host-Based Intrusion Prevention System SDK contains
two vulnerabilities that can allow an attacker to cause a denial
of service or possibly execute arbitrary code. CA has issued
updates to address the vulnerabilities. The first vulnerability,
CVE-2008-2926, occurs due to insufficient verification of IOCTL
requests by the kmxfw.sys driver. A local attacker can send an
IOCTL request that can cause a system crash or potentially result
in arbitrary code execution. The second vulnerability,
CVE-2008-3174, occurs due to insufficient validation by the
kmxfw.sys driver. An attacker can make a request that can cause a
system crash.
Mitigating Factors: None
Severity: CA has given these vulnerabilities a Medium risk rating.
Affected Products:
CA Host-Based Intrusion Prevention System r8
CA Internet Security Suite 2007 (v3.2) with CA Personal Firewall
2007 (v9.1) Engine version 1.2.260 and below
CA Internet Security Suite 2008 (v4.0) with CA Personal Firewall
2008 (v10.0) Engine version 1.2.260 and below
CA Personal Firewall 2007 (v9.1) with Engine version 1.2.260 and
below
CA Personal Firewall 2008 (v10.0) with Engine version 1.2.260 and
below
Affected Platforms:
Windows
Status and Recommendation:
CA has issued the following updates to address the vulnerabilities.
CA Host-Based Intrusion Prevention System r8:
RO00535
https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search&searchID=RO00535
CA Internet Security Suite r3, r4 and CA Personal Firewall 2007,
2008:
Ensure the latest engine is installed by using the built-in update
mechanism. CA Personal Firewall Engine 1.2.276 and later are not
affected. To ensure that the latest automatic update is installed
on your computer, customers can view the Help>About screen in
their CA Personal Firewall product and confirm that the engine
version number is 1.2.276 or higher. For support information,
visit http://shop.ca.com/support.
How to determine if you are affected:
1. Using Windows Explorer, locate the file "kmxfw.sys". By default,
the file is located in the "C:\Windows\system32\drivers\" directory.
2. Right click on the file and select Properties.
3. Select the General tab.
4. If the file version is less than indicated in the below table,
the installation is vulnerable.
File Name Version Size (bytes) Date
kmxfw.sys 6.5.5.18 115,216 March 14, 2008
Workaround: None
References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for
CA Host-Based Intrusion Prevention System SDK
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=182496
Solution Document Reference APARs:
RO00535
CA Security Response Blog posting:
CA Host-Based Intrusion Prevention System SDK kmxfw.sys Multiple
Vulnerabilities
community.ca.com/blogs/casecurityresponseblog/archive/2008/08/12.aspx
Reported By:
Tobias Klein (CVE-2008-2926)
http://www.trapkit.de/
Elazar Broad (CVE-2008-3174)
CVE References:
CVE-2008-2926 - CA HIPS kmxfw.sys IOCTL
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2926
CVE-2008-3174 - CA HIPS kmxfw.sys denial of service
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3174
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory,
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to our product security response team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2008 CA. All rights reserved.
--- End Message ---
--- Begin Message ---
Please find attached a detailed advisory of the vulnerability.
Alternatively, the advisory can also be found at:
http://www.trapkit.de/advisories/TKADV2008-006.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Advisory: CA HIPS KmxFw.sys Kernel Memory Corruption
Advisory ID: TKADV2008-006
Revision: 1.0
Release Date: 2008/08/12
Last Modified: 2008/08/12
Date Reported: 2008/03/08
Author: Tobias Klein (tk at trapkit.de)
Affected Software: CA Host-Based Intrusion Prevention System r8
CA Internet Security Suite 2007
CA Internet Security Suite 2008
CA Personal Firewall 2007
CA Personal Firewall 2008
Remotely Exploitable: No
Locally Exploitable: Yes
Vendor URL: http://www.ca.com
Vendor Status: Vendor has released an update
CVE-ID: CVE-2008-2926
Patch development time: 158 days
======================
Vulnerability details:
======================
The kernel driver KmxFw.sys shipped with various CA products contains a
vulnerability in the code that handles IOCTL requests. Exploitation of
this vulnerability can result in:
1) local denial of service attacks (system crash due to a kernel panic), or
2) local execution of arbitrary code at the kernel level (complete system
compromise)
The issue can be triggered by sending a specially crafted IOCTL request.
No special user rights are necessary to exploit the vulnerability.
======================
Technical description:
======================
The IOCTL call 0x85000030 of the KmxFw.sys kernel driver shipped with
various CA products accepts user supplied input that doesn't get validated
enough. In consequence it is possible to pass arbitrary parameter values
to some windows kernel functions (e.g. ExFreePoolWithTag). If these
parameters are carefully crafted it is possible to force the windows kernel
into performing a memory corruption that leads to full control of the
kernel execution flow.
Disassembly of KmxFw.sys (version 6.5.5.5):
[...]
.text:00019800 mov eax, [esp+IOCTLControlCode] <-- (1)
.text:00019804 sub esp, 2Ch
.text:00019807 push ebx
.text:00019808 push esi
.text:00019809 push edi
.text:0001980A add eax, 7AFFFFFCh
.text:0001980F xor edi, edi
.text:00019811 xor ebx, ebx
.text:00019813 cmp eax, 4Ch ; switch 77 cases
.text:00019816 ja loc_19943 ; default
[...]
.text:0001981C movzx eax, ds:byte_19BA0[eax] <-- (2)
.text:00019823 jmp ds:off_19B6C[eax*4] ; switch jump
[...]
.text:000199E1 loc_199E1:
.text:000199E1 cmp [esp+38h+InputBufferSize], 10h <-- (3)
.text:000199E6 jb loc_19943 ; default
[...]
.text:000199EC mov eax, [esp+38h+InputBuffer] <-- (4)
.text:000199F0 mov ecx, [eax+8] <-- (5)
.text:000199F3 mov edx, [eax] <-- (6)
.text:000199F5 push ecx ; BaseAddress <-- (7)
.text:000199F6 push edx ; Mdl <-- (8)
.text:000199F7 mov ecx, offset off_28600
.text:000199FC call sub_12B70 <-- (9)
[...]
(1) IOCTL control code is copied into EAX
(2) IOCTL control code switch cases
(3) Switch case of the vulnerable IOCTL control code 0x85000030. There's
also a minor check of the IOCTL input buffer size (must be greater than
0x10).
(4) Pointer to user controlled data is copied into EAX
(5) Part of the user controlled data is copied into ECX
(6) Part of the user controlled data is copied into EDX
(7) + (8) The user controlled values of ECX and EDX are used as parameters
for the following function (sub_12B70) that gets called
(9) The function sub_12B70 gets called
[...]
.text:00012B70 sub_12B70 proc near
.text:00012B70 Mdl_uc = dword ptr 4
.text:00012B70 BaseAddress_uc = dword ptr 8
.text:00012B70
.text:00012B70 push esi
.text:00012B71 mov esi, [esp+4+Mdl_uc] <-- (10)
.text:00012B75 test esi, esi
.text:00012B77 jz short loc_12B90
.text:00012B79 mov eax, [esp+4+BaseAddress_uc] <-- (11)
.text:00012B7D test eax, eax
.text:00012B7F jz short loc_12B89
.text:00012B81 push esi ; MemoryDescriptorList <-- (12)
.text:00012B82 push eax ; BaseAddress <-- (13)
.text:00012B83 call ds:MmUnmapLockedPages <-- (14)
.text:00012B89
.text:00012B89 loc_12B89:
.text:00012B89 push esi ; Mdl <-- (15)
.text:00012B8A call ds:IoFreeMdl <-- (16)
[...]
(10) User controlled data gets copied into ESI
(11) User controlled data gets copied into EAX
(12) + (13) The user controlled values of ESI and EAX are used as
parameters for the windows kernel function MmUnmapLockedPages
(14) The windows kernel function MmUnmapLockedPages gets called
(15) The user controlled value in ESI is used as a parameter for the
windows kernel function IoFreeMdl
(16) The windows kernel function IoFreeMdl gets called
In the IoFreeMdl function of the windows kernel the ExFreePoolWithTag
function gets called with user controlled parameters.
Example of the IoFreeMdl function of the Windows 2000 Professional SP4
kernel:
[...]
.text:0041E700 ; void __stdcall IoFreeMdl(PMDL Mdl)
.text:0041E700 public IoFreeMdl
.text:0041E700 IoFreeMdl proc near
.text:0041E700
.text:0041E700 P = dword ptr 4
.text:0041E700
.text:0041E700 push esi
.text:0041E701 mov esi, [esp+4+P] <-- (17)
.text:0041E705 test byte ptr [esi+6], 20h
.text:0041E709 jz short loc_41E714
[...]
.text:0041E714 loc_41E714:
.text:0041E714 mov ax, [esi+6]
.text:0041E718 test al, 8
.text:0041E71A jz short loc_41E72B
[...]
.text:0041E72B
.text:0041E72B loc_41E72B:
.text:0041E72B push esi ; P <-- (18)
.text:0041E72C call ExFreePool <-- (19)
[...]
(17) The user controlled data gets copied into ESI
(18) + (19) ESI is used as a parameter for the ExFreePool kernel function
that calls ExFreePoolWithTag
If the user supplied parameter for ExFreePoolWithTag is carefully crafted
it is possible to overwrite an arbitrary memory location with an arbitrary
dword value (write4 primitive). This can be exploited to control the kernel
execution flow and to execute arbitrary code at the kernel level.
=========
Solution:
=========
See vendor recommendations described under [1].
========
History:
========
2008/03/06 - Vendor notified using vuln@ca.com
2008/03/06 - Vendor response with PGP key
2008/03/08 - Detailed vulnerability information sent to the vendor
2008/03/08 - Vendor acknowledges receipt of the information
2008/08/12 - Coordinated disclosure
========
Credits:
========
Vulnerability found and advisory written by Tobias Klein.
===========
References:
===========
[1] http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36559
[2] http://www.trapkit.de/advisories/TKADV2008-006.txt
========
Changes:
========
Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release
===========
Disclaimer:
===========
The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
==================
PGP Signature Key:
==================
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc
Copyright 2008 Tobias Klein. All rights reserved.
-----BEGIN PGP SIGNATURE-----
wj8DBQFIoc3GkXxgcAIbhEERAmChAJ9lINv4Ci5mKTsJFrseUDnRexS6cwCg1M9j
ZIxU4zrLI4z0saexLC/J9Dg=
=hYS2
-----END PGP SIGNATURE-----
--- End Message ---