漏洞信息详情
Arcabit ArcaVir杀毒软件IOCTL请求本地权限提升漏洞
- CNNVD编号:CNNVD-200905-343
- 危害等级: 高危
- CVE编号: CVE-2009-1824
- 漏洞类型: 输入验证
- 发布时间: 2009-05-29
- 威胁类型: 本地
- 更新时间: 2009-06-01
- 厂 商: arcabit
- 漏洞来源: NT Internals
漏洞简介
ArcaVir是出自波兰的功能强大的反病毒程序。
ArcaVir杀毒软件产品所使用的ps_drv.sys驱动允许用户打开\\Device\\ps_drv设备并以METHOD_NEITHER缓冲模式发布IOCTL。本地用户可以通过向驱动传送内核地址作为参数来覆盖任意地址,执行任意内核态代码。以下是一个有漏洞的IOCTL示例:
seg000:00023F3C RootkitMemoryBlock proc near
seg000:00023F3C
seg000:00023F3C ArcaStruct = dword ptr -14h
seg000:00023F3C Buffer = dword ptr -10h
seg000:00023F3C InputBuffer = dword ptr -0Ch
seg000:00023F3C BufferLength = dword ptr -8
seg000:00023F3C Address = dword ptr -4
seg000:00023F3C
seg000:00023F3C push ebp
seg000:00023F3D mov ebp, esp
seg000:00023F3F sub esp, 14h
seg000:00023F42 mov [ebp+ArcaStruct], ecx
seg000:00023F45 push offset StrRootkitMemBlock ; \"ROOTKIT_MEMBLOCK\n\"
seg000:00023F4A call DbgPrint
seg000:00023F4F add esp, 4
seg000:00023F52 mov eax, [ebp+ArcaStruct]
seg000:00023F55 cmp [eax+_ARCA_STRUCT.InputBufferLength], 8
seg000:00023F5C jnz short @@invalid_input_buffer_size
seg000:00023F5E mov ecx, [ebp+ArcaStruct]
seg000:00023F61 cmp [ecx+_ARCA_STRUCT.Type3InputBuffer], 0
seg000:00023F68 jnz short @@check_passed_parameters
seg000:00023F6A
seg000:00023F6A @@invalid_input_buffer_size:
seg000:00023F6A push offset StrInvalidInputBufferSize ; \"Zły rozmiar input bufora\n\"
seg000:00023F6F call DbgPrint
seg000:00023F74 add esp, 4
seg000:00023F77 mov eax, STATUS_INVALID_BUFFER_SIZE
seg000:00023F7C jmp @@exit
seg000:00023F81
seg000:00023F81 @@check_passed_parameters:
seg000:00023F81 mov edx, [ebp+ArcaStruct]
seg000:00023F84 mov eax, [edx+_ARCA_STRUCT.Type3InputBuffer]
seg000:00023F8A mov ecx, [eax]
seg000:00023F8C mov edx, [eax+4]
seg000:00023F8F mov [ebp+InputBuffer], ecx
seg000:00023F92 mov [ebp+BufferLength], edx
seg000:00023F95 cmp [ebp+BufferLength], 0
seg000:00023F99 jnz short @@check_output_buffer
seg000:00023F9B push offset StrInvalidInputAddress ; \"Zerowy rozmiar bufora do odczytu\n\"
seg000:00023FA0 call DbgPrint
seg000:00023FA5 add esp, 4
seg000:00023FA8 mov eax, STATUS_INVALID_PARAMETER
seg000:00023FAD jmp @@exit
seg000:00023FB2
seg000:00023FB2 @@check_output_buffer:
seg000:00023FB2 mov eax, [ebp+ArcaStruct]
seg000:00023FB5 mov ecx, [eax+_ARCA_STRUCT.OutputBufferLength]
seg000:00023FBB cmp ecx, [ebp+BufferLength]
seg000:00023FBE jnz short @@invalid_output_buffer_size
seg000:00023FC0 mov edx, [ebp+ArcaStruct]
seg000:00023FC3 cmp [edx+_ARCA_STRUCT.UserBuffer], 0
seg000:00023FCA jnz short @@check_address
seg000:00023FCC
seg000:00023FCC @@invalid_output_buffer_size:
seg000:00023FCC push offset StrInvalidOutputBufferSize ; \"Zły rozmiar output bufora\n\"
seg000:00023FD1 call DbgPrint
seg000:00023FD6 add esp, 4
seg000:00023FD9 mov eax, STATUS_INVALID_BUFFER_SIZE
seg000:00023FDE jmp short @@exit
seg000:00023FE0
seg000:00023FE0 @@check_address:
seg000:00023FE0 mov eax, [ebp+InputBuffer]
seg000:00023FE3 mov [ebp+Buffer], eax
seg000:00023FE6 mov ecx, [ebp+BufferLength]
seg000:00023FE9 mov edx, [ebp+InputBuffer]
seg000:00023FEC lea eax, [edx+ecx-1]
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
http://www.arcabit.com/
参考网址
来源: VUPEN
名称: ADV-2009-1428
链接:http://www.vupen.com/english/advisories/2009/1428
来源: BID
名称: 35100
链接:http://www.securityfocus.com/bid/35100
来源: MILW0RM
名称: 8782
链接:http://www.milw0rm.com/exploits/8782
来源: SECUNIA
名称: 35260
链接:http://secunia.com/advisories/35260
来源: MISC
链接:http://ntinternals.org/ntiadv0814/PSDrv_Exp.zip
来源: MISC
链接:http://ntinternals.org/ntiadv0814/ntiadv0814.HTML
受影响实体
- Arcabit Arcavir_2009_home_protection:9.4.3204.9
- Arcabit Arcavir_2009_system_protection:9.4.3203.9
- Arcabit Arcavir_2009_internet_security:9.4.3202.9
- Arcabit Arcavir_2009_antivirus_protection:9.4.3201.9
补丁
暂无
![weinxin](http://zone.ci/zone_ci_images/zone.ci.png)
评论