CVE-2014-4973 – Privilege Escalation in ESET Windows Products

CVE: CVE-2014-4973
Vendor: ESET
Product: ESET Windows Products
Affected version: v5.0 – 7.0 (Firewall Module Build 1183 (20140214) and earlier)
Fixed version: v6 – v7 (Firewall Module Build 1212 (20140609))
Reported by: Kyriakos Economou

Versions 5.0 – 7.0 of ESET Smart Security and ESET Endpoint Security products for Windows XP and Server 2003 allow a low privileged user to execute code as SYSTEM by exploiting a vulnerability in the ESET Personal Firewall NDIS filter (EpFwNdis.sys) kernel mode driver also mentioned as Personal Firewall module Build 1183 (20140214) and prior. This is a ‘trusted value vulnerability’ that can be triggered through a specific IOCTL with a specifically crafted buffer, to force the driver to validate an improper IOCTL.

Further reading: NDI5aster – Privilege Escalation through NDIS 5.x Filter Intermediate Drivers

All Rights R3v3rs3d