日前,国外安全研究组织Nikita Tarakanov称在Symantec PGP Whole Disk Encryption(完整磁盘加密软件)中发现0day漏洞,该软件的内核驱动程序pgpwded.sys包含一个覆盖任意内存的漏洞,可执行任意代码,受影响的软件版本是Symantec PGP Desktop 10.2.0 Build 2599。
4 ]9 {- p/ a, Z$ {2 h0 }, y& ~0 `
% j9 }3 v% H% Z# x8 X. [# @( T! kSymantec通过博客文章证实该版本软件确实存在安全问题,但是利用起来比较繁琐,并且仅限于运行在Windows XP和Windows 2003的系统,成功利用该漏洞需要有计算机本地访问权限。. m& a* T3 k% N! f# n! u
: K; X* K5 j. H% s
研究员Kelvin Kwan称“该漏洞触发场景非常困难,成功利用必须进入一些错误状态,但是成功利用的话可能允许攻击者执行任意代码,获取更高级别的权限”。该漏洞详细细节如下:
k, {7 `, ?; w! I" D
1 G( {/ k$ J$ _! r & r& A, N( I" I" c* y! D4 @& k
9 t7 c: i7 ]9 j3 G6 |: a, Y
function at 0x10024C20 is responsible for dispatching ioctl codes:- ]9 t6 w. Y& a8 o- m' m+ f" S: `' b' {
6 [1 O" H/ \$ z2 a' y9 o
.text:10024C20 ; int __thiscall ioctl_handler_deep(int this, int ioctl, PVOID inbuff, unsigned int inbuff_size, unsigned int outbuff_size, PDWORD bytes_to_return), A" k% M8 k u/ Y7 k
.text:10024C20 ioctl_handler_deep proc near ; CODE XREF: sub_10007520+6Ap
( e4 b+ ^# E* u T5 L.text:10024C20
8 v0 S4 v/ _5 p0 M2 W.text:10024C20 DestinationString= UNICODE_STRING ptr -3Ch
7 K `/ o! d/ K& J6 v3 T.text:10024C20 var_31 = byte ptr -31h
: t i: }5 w5 @7 R. T.text:10024C20 var_30 = dword ptr -30h- i& g4 Z: D7 N D5 }: R1 ^
.text:10024C20 some_var = dword ptr -2Ch
+ d% ?: d+ s4 ^! N1 ?* m3 C.text:10024C20 var_28 = dword ptr -28h9 b {$ W0 E& T) o
.text:10024C20 var_24 = byte ptr -24h
! z+ k4 d- ^! X/ b1 M, c/ r.text:10024C20 var_5 = byte ptr -5
' ~& y! _2 s5 n2 w.text:10024C20 var_4 = dword ptr -4& V% B/ a7 ]/ i: t X" N; r7 k
.text:10024C20 ioctl = dword ptr 8
; q7 \+ j7 F( W r; B/ @7 E.text:10024C20 inbuff = dword ptr 0Ch
; D7 z" s; L# x- j' {! f0 d.text:10024C20 inbuff_size = dword ptr 10h
6 a( r; H# m; @2 P4 A.text:10024C20 outbuff_size = dword ptr 14h$ A) G0 H" q* ^1 u! Y. R
.text:10024C20 bytes_to_return = dword ptr 18h
7 |+ D) l& H# L: e. w4 m.text:10024C203 b: M* U: v1 u; s. W0 a. b
.text:10024C20 push ebp. U) t' X% `4 s. T) ~
.text:10024C21 mov ebp, esp# d! d2 \/ H) K& q
.text:10024C23 sub esp, 3Ch
' O& V& n; N E# {# ^.text:10024C26 mov eax, BugCheckParameter2
) W2 [/ m: n: @/ v( |9 e) g.text:10024C2B xor eax, ebp
' ^" V [4 s& x.text:10024C2D mov [ebp+var_4], eax
& H- d0 Q% K$ h9 I' P- v. o.text:10024C30 mov eax, [ebp+ioctl]& Z" a% D# T( V5 q5 V5 s% w. D
.text:10024C33 push ebx, b$ X- \8 z) b4 G% X- z K$ c4 k) @
.text:10024C34 mov ebx, [ebp+inbuff], ?1 a. q, R, ?
.text:10024C37 push esi
# q9 i/ |4 h3 C.text:10024C38 mov esi, [ebp+bytes_to_return]1 |% |( j/ h8 f6 z
.text:10024C3B add eax, 7FFDDFD8h2 e1 @# `, ^, J+ L+ A
.text:10024C40 push edi+ T7 R4 I) z# p( t
.text:10024C41 mov edi, ecx
# I* U: o, u8 b: ]2 }.text:10024C43 mov [ebp+some_var], esi( Y) c' y3 | \* D) z
.text:10024C46 mov [ebp+var_28], 0( M5 S6 a2 D& ^2 {+ g; |" j9 M
.text:10024C4D cmp eax, 0A4h ; switch 165 cases
) a) ~* U% O$ ~* O8 J9 ~, U.text:10024C52 ja loc_10025B18 ; jumptable 10024C5F default case, \& ?1 l# I2 ^: w2 f0 H
.text:10024C58 movzx eax, ds:byte_10025BF0[eax]+ G y; X. K9 u0 y3 F" g
.text:10024C5F jmp dsff_10025B50[eax*4] ; switch jump
( S" |; k0 S1 F' O6 W' ?: B6 y" {, [$ _. x2 \( z
[..]
: E2 y r; Q. J: i' h# [ U" U, G, i1 j
0x80022058 case: no check for outbuff_size == 0! <--- FLAW!
* `, V! z* A6 `9 m9 V% A
% N; B6 l- `& V- ^.text:10024F5A lea ecx, [edi+958h]) ?% C; ?: n0 n, O. q$ Q* k1 x
.text:10024F60 call sub_100237B0
! P7 f- v! Z- y8 }6 H. |" x1 G.text:10024F65 mov [ebp+some_var], eax% ?% b T9 y; K6 G( ]' l( h
.text:10024F68 test eax, eax1 f/ _( \& d% e% p. Q9 Y% q2 {% G X& M& ^8 M
.text:10024F6A jnz short loc_10024F7D7 Q( V$ l$ z1 k
.text:10024F6C mov dword ptr [ebx], 0FFFFCFFAh3 M' a7 D% e o: G
.text:10024F72 mov dword ptr [esi], 10h <--- bytes to copy to output buffer
+ v& J- c6 B/ M" f( x) A) R0 S
3 d) \8 y- R' ^( L# C& }next in IofComplete request will be rep movsd at pointer, that is under attacker's control
) g; g3 L: ?$ u7 x$ v
# m6 U' m9 D" D; ~) XDue the type of vulnerability (METHO_BUFFERED with output_size == 0) exploit works only on Winows XP/2k3, cause in later Windows OS I/O manager doesn't craft IRP if ioctl is METHOD_BUFFERED and output_size == 0. ) N7 h: S" h B+ S; f! H" I, N3 x
" V2 y: u& I8 e5 e; i
Symantec表示在2月份的补丁包中修复该漏洞。
" s: y3 A6 _( m( F# w8 z# {: [3 j! `# n! i( ]6 b/ x, K3 g. m
相关阅读:9 [9 \' C9 Q% |- I7 X
3 ^1 I8 m5 ~" Z9 H0 ^4 `赛门铁克的 PGP Whole Disk Encryption 为企业提供了全面的高性能完整磁盘加密功能,可对台式机、笔记本电脑和可移动介质上的所有数据(用户文件、交换文件、系统文件、隐藏文件等)进行完整磁盘加密。该完整磁盘加密软件可让数据免遭未经授权的访问,从而为知识产权、客户和合作伙伴数据提供强大的安全防护。受保护的系统可由 PGP Universal Server 集中管理,这就简化了部署、策略创建、分发和报告过程。$ N0 g0 Z# V) S
# ^% c/ |1 P! e0 q7 ^( J3 z, ] |