漏洞信息详情

Arcabit ArcaVir杀毒软件IOCTL请求本地权限提升漏洞

  • CNNVD编号:CNNVD-200905-343
  • 危害等级: 高危
  • CVE编号: CVE-2009-1824
  • 漏洞类型: 输入验证
  • 发布时间: 2009-05-29
  • 威胁类型: 本地
  • 更新时间: 2009-06-01
  • 厂        商: arcabit
  • 漏洞来源: NT Internals

漏洞简介

ArcaVir是出自波兰的功能强大的反病毒程序。

ArcaVir杀毒软件产品所使用的ps_drv.sys驱动允许用户打开\\Device\\ps_drv设备并以METHOD_NEITHER缓冲模式发布IOCTL。本地用户可以通过向驱动传送内核地址作为参数来覆盖任意地址,执行任意内核态代码。以下是一个有漏洞的IOCTL示例:

seg000:00023F3C RootkitMemoryBlock proc near

seg000:00023F3C

seg000:00023F3C ArcaStruct = dword ptr -14h

seg000:00023F3C Buffer = dword ptr -10h

seg000:00023F3C InputBuffer = dword ptr -0Ch

seg000:00023F3C BufferLength = dword ptr -8

seg000:00023F3C Address = dword ptr -4

seg000:00023F3C

seg000:00023F3C push ebp

seg000:00023F3D mov ebp, esp

seg000:00023F3F sub esp, 14h

seg000:00023F42 mov [ebp+ArcaStruct], ecx

seg000:00023F45 push offset StrRootkitMemBlock ; \"ROOTKIT_MEMBLOCK\n\"

seg000:00023F4A call DbgPrint

seg000:00023F4F add esp, 4

seg000:00023F52 mov eax, [ebp+ArcaStruct]

seg000:00023F55 cmp [eax+_ARCA_STRUCT.InputBufferLength], 8

seg000:00023F5C jnz short @@invalid_input_buffer_size

seg000:00023F5E mov ecx, [ebp+ArcaStruct]

seg000:00023F61 cmp [ecx+_ARCA_STRUCT.Type3InputBuffer], 0

seg000:00023F68 jnz short @@check_passed_parameters

seg000:00023F6A

seg000:00023F6A @@invalid_input_buffer_size:

seg000:00023F6A push offset StrInvalidInputBufferSize ; \"Zły rozmiar input bufora\n\"

seg000:00023F6F call DbgPrint

seg000:00023F74 add esp, 4

seg000:00023F77 mov eax, STATUS_INVALID_BUFFER_SIZE

seg000:00023F7C jmp @@exit

seg000:00023F81

seg000:00023F81 @@check_passed_parameters:

seg000:00023F81 mov edx, [ebp+ArcaStruct]

seg000:00023F84 mov eax, [edx+_ARCA_STRUCT.Type3InputBuffer]

seg000:00023F8A mov ecx, [eax]

seg000:00023F8C mov edx, [eax+4]

seg000:00023F8F mov [ebp+InputBuffer], ecx

seg000:00023F92 mov [ebp+BufferLength], edx

seg000:00023F95 cmp [ebp+BufferLength], 0

seg000:00023F99 jnz short @@check_output_buffer

seg000:00023F9B push offset StrInvalidInputAddress ; \"Zerowy rozmiar bufora do odczytu\n\"

seg000:00023FA0 call DbgPrint

seg000:00023FA5 add esp, 4

seg000:00023FA8 mov eax, STATUS_INVALID_PARAMETER

seg000:00023FAD jmp @@exit

seg000:00023FB2

seg000:00023FB2 @@check_output_buffer:

seg000:00023FB2 mov eax, [ebp+ArcaStruct]

seg000:00023FB5 mov ecx, [eax+_ARCA_STRUCT.OutputBufferLength]

seg000:00023FBB cmp ecx, [ebp+BufferLength]

seg000:00023FBE jnz short @@invalid_output_buffer_size

seg000:00023FC0 mov edx, [ebp+ArcaStruct]

seg000:00023FC3 cmp [edx+_ARCA_STRUCT.UserBuffer], 0

seg000:00023FCA jnz short @@check_address

seg000:00023FCC

seg000:00023FCC @@invalid_output_buffer_size:

seg000:00023FCC push offset StrInvalidOutputBufferSize ; \"Zły rozmiar output bufora\n\"

seg000:00023FD1 call DbgPrint

seg000:00023FD6 add esp, 4

seg000:00023FD9 mov eax, STATUS_INVALID_BUFFER_SIZE

seg000:00023FDE jmp short @@exit

seg000:00023FE0

seg000:00023FE0 @@check_address:

seg000:00023FE0 mov eax, [ebp+InputBuffer]

seg000:00023FE3 mov [ebp+Buffer], eax

seg000:00023FE6 mov ecx, [ebp+BufferLength]

seg000:00023FE9 mov edx, [ebp+InputBuffer]

seg000:00023FEC lea eax, [edx+ecx-1]

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:

http://www.arcabit.com/

参考网址

来源: VUPEN

名称: ADV-2009-1428

链接:http://www.vupen.com/english/advisories/2009/1428

来源: BID

名称: 35100

链接:http://www.securityfocus.com/bid/35100

来源: MILW0RM

名称: 8782

链接:http://www.milw0rm.com/exploits/8782

来源: SECUNIA

名称: 35260

链接:http://secunia.com/advisories/35260

来源: MISC

链接:http://ntinternals.org/ntiadv0814/PsDrv_Exp.zip

来源: MISC

链接:http://ntinternals.org/ntiadv0814/ntiadv0814.html

补丁

    暂无

漏洞信息快速查询

相关漏洞

更多