CVE-2015-3444 – K7 Multiple Products Privilege Escalation [K7FWFilt.sys]
Vulnerability title: K7 Multiple Products Privilege Escalation [K7FWFilt.sys]
Vendor: K7 Computing Pvt Ltd
Affected version: N/A
Fixed version: N/A
Reported by: Kyriakos Economou
Latest, and possibly earlier versions of K7FWFilt.sys kernel mode driver for Windows XP and Server 2003, named also as ‘K7Firewall Packet Driver’ suffers from a trusted value vulnerability that can be tricked through an IOCTL request with a specifically crafted input buffer and allow a local attacker to gain SYSTEM privileges from any account type.
IOCTL 0x830020cc allows us to ‘control’ the execution up to a function that compares some of our input data with a list of pointers. Matching the first pointer will later cause the faulty driver to make a call to wanarp!WanNdisReceiveComplete which in turn will attempt to call an uninitialized imported function pointer to wanarp!g_pfnIpRcvComplete as shown below.
ba15d052 call dword ptr [wanarp!g_pfnIpRcvComplete]
ba15d058 ret 4
The pointer to wanarp!g_pfnIpRcvComplete is not initialized which means that EIP will be redirected at the beginning of the NULL page (0x00000000).
Matching the pointer, as mentioned above, in order to jump on the NULL page can be easily achieved by using IOCTL 0x830020c4 to perform a limited kernel memory leak for the required magic value.