* CVE: CVE-2015-8773 * Vendor: McAfee - Intel Security * Reported by: Kyriakos Economou * Date of Release: 26/01/2016 * Date of Fix: N/A * Affected Products: Multiple * Affected Version: McPvDrv.sys v4.6.111.0 * Fixed Version: N/A Description: McAfee File Lock Driver does not handle correctly GUIDs of the encrypted vaults, which allows to crash the host by crafting a specific IOCTL with a malformed Vault GUID which is used to identify an object of FILE_DEVICE_DISK DeviceType, causing a kernel stack based buffer overflow. We have verified this issue in the lastest McAfee File Lock v5.x which ships with McAfee total protection suite. However, other products that include this package will also be affected. Vulnerable module: McPvDrv.sys v4.6.111.0 Earlier versions of this kernel driver are probably affected by the same issue. Impact: The return address is protected by a security cookie, so exploiting this issue further than crashing the host doesn't seem to be possible. Technical Details: GUID example: 867ba474 34 00 65 00 39 00 38 00 37 00 66 00 61 00 34 00 2d 00 39 00 66 00 38 00 4.e.9.8.7.f.a.4.-.9.f.8. 867ba48c 33 00 2d 00 34 00 30 00 61 00 64 00 2d 00 61 00 61 00 31 00 66 00 2d 00 3.-.4.0.a.d.-.a.a.1.f.-. 867ba4a4 62 00 35 00 33 00 65 00 61 00 35 00 64 00 63 00 00 00 00 00 00 00 00 00 b.5.3.e.a.5.d.c........ Parsing GUID: 95e77094 8b4d08 mov ecx,dword ptr [ebp+8] <-- Pointer to Vault's GUID (unicode) 95e77097 0fb701 movzx eax,word ptr [ecx] <-- start reading GUID 95e7709a 83c40c add esp,0Ch 95e7709d 6685c0 test ax,ax 95e770a0 7426 je McPvDrv+0x30c8 (95e770c8) 95e770a2 0fb7c0 movzx eax,ax 95e770a5 8d957cffffff lea edx,[ebp-84h]
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment