CVE: CVE-2015-1438 Vendor: Panda Security Product: Multiple Products Affected version: 1.0.0.13 (PSKMAD.sys driver version) Fixed version: 15.1.0 (Products Version) Reported by: Kyriakos Economou Details: Panda Kernel Memory Access Driver doesn’t validate the size of data to be copied to both an allocated kernel paged pool buffer and to an allocated non-paged pool buffer. Furthermore, the attacker has control over the start-to-copy index regarding the non-paged pool buffer which allows an attacker to corrupt a kernel object with more precision, and control the EIP via a hijacked function pointer. Technical Details: b5ae8cc5 8b7508 mov esi,dword ptr [ebp+8]<-- ESI input_buffer b5ae8cc8 0fb7460c movzx eax,word ptr [esi+0Ch] <-- EAX read size of paged pool buffer to allocate from input buffer b5ae8ccc 6685c0 test ax,ax b5ae8ccf 7674 jbe PSKMAD_b5ae4000+0x4d45 (b5ae8d45) b5ae8cd1 668b4e0e mov cx,word ptr [esi+0Eh] b5ae8cd5 668945f4 mov word ptr [ebp-0Ch],ax b5ae8cd9 0fb7c0 movzx eax,ax b5ae8cdc 6850534d45 push 454D5350h <-- 'PSME' pool tag b5ae8ce1 50 push eax <-- size of paged pool buffer to allocate b5ae8ce2 6a01 push 1 <-- indicates paged pool b5ae8ce4 66894df6 mov word ptr [ebp-0Ah],cx b5ae8ce8 ff159ca6aeb5 call dword ptr [PSKMAD_b5ae4000+0x669c]={nt!ExAllocatePoolWithTag} b5ae8cee 8945f8 mov dword ptr [ebp-8],eax b5ae8cf1 85c0 test eax,eax b5ae8cf3 7550 jne PSKMAD_b5ae4000+0x4d45 (b5ae8d45) ... b5ae8d45 8d4608 lea eax,[esi+8] b5ae8d48 50 push eax <-- ptr to input buffer for storing the length of the returned symbolic link target b5ae8d49 8d45f4 lea eax,[ebp-0Ch] b5ae8d4c 50 push eax <-- ptr to unitialized Unicode string to store symbolic link target (the paged pool buffer previously allocated) b5ae8d4d ff36 push dword ptr [esi] <-- handle to the symbolic link object b5ae8d4f ff1514a7aeb5 call dword ptr [PSKMAD_b5ae4000+0x6714]={nt!ZwQuerySymbolicLinkObject}
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment