ExploitFixes
CA Internet Security Suite 2010 KmxSbx.sys Kernel Pool Overflow 0 day Exploit 2010-11-28 09:15:18

/*
# Exploit Title: CA Internet Security Suite 2010 KmxSbx.sys Kernel Pool
Overflow 0-day Exploit
# Date: 2010-11-28
# Author: Nikita Tarakanov (CISS Research Team)
# Software Link:
http://shop.ca.com/ca/products/internetsecurity/internetsecurity_suite.asp
# Version: up to date, KmxSbx.sys version 6.2.0.22
# Tested on: Win XP SP3
# CVE : CVE-NO-MATCH
# Status : Unpatched
*/

1.Description:

The KmxSbx.sys kernel driver distributed with CA Security Suite contains
a pool corruption vulnerability in the handling of IOCTL 0x88000080.
Exploitation of this issue allows an attacker to execute arbitrary code
within the kernel.
An attacker would need local access to a vulnerable computer to exploit
this vulnerability.



Affected application: CA Internet Security Suite 2010.
Affected file: KmxSbx.sys version 6.2.0.22.

2.Vulnerability details:


[..]

.text:00016330 mov cx, [eax] ; eax points to
attacker controlled data
.text:00016333 inc eax
.text:00016334 inc eax
.text:00016335 test cx, cx
.text:00016338 jnz short loc_16330
.text:0001633A sub eax, edx
.text:0001633C sar eax, 1
.text:0001633E lea eax, [eax+eax+50h] ; size of
UNICODE string + 0x50 bytes
.text:00016342 movzx edi, ax ; integer wrap here!
.text:00016345
.text:00016345 loc_16345: ; CODE XREF:
sub_162D8+53j
.text:00016345 movzx eax, di
.text:00016348 push ebx
.text:00016349 xor ebx, ebx
.text:0001634B cmp eax, ebx
.text:0001634D jz short loc_16359
.text:0001634F push eax ; NumberOfBytes
.text:00016350 push ebx ; PoolType
.text:00016351 call ds:ExAllocatePool ; Miscalculated
Pool!!!
.text:00016357 mov ebx, eax

[..]

.text:000163A6 movzx esi, word ptr [edx]
.text:000163A9 mov [eax+edx], si ; Pool overflow here!
.text:000163AD inc edx
.text:000163AE inc edx
.text:000163AF test si, si




3.Exploitation:


1.To exploit this vulnerability we have to allocate shellcode at some
address, craft fake chunk header, that creates write4 primitive.
2.To invoke our shellcode we have to set such values in Flink,Blink,
that points to some pointer in kernel space, and address of our r0
shellcode.When unlinking happens, we overwrite pointer in kernel space,
and force execution with kernel priviligies(cpl==0).
*3.Pool repair

Exploit code is in CAInternetSecuritySuite2010.zip file.

http://www.exploit-db.com/sploits/CAInternetSecuritySuite2010.zip