CVE-2014-8956 – Privilege Escalation In K7 Computing Multiple Products

Vulnerability title: Privilege Escalation In K7 Computing Multiple Products [K7Sentry.sys]
CVE: CVE-2014-8956
Vendor: K7 Computing
Product: Multiple Products [K7Sentry.sys]
Affected version:
Fixed version:
Reported by: Kyriakos Economou

Latest, and possibly earlier versions of K7Sentry.sys kernel mode driver, also named as the ‘K7AV Sentry DeviceDriver’, suffers from a Out-of-bounds Write condition that can be exploited locally by an attacker in order to execute code with kernel privileges. Successful exploitation of this bug results into vertical privilege escalation.

Technical Details:

The function handling IOCTL 0x9500259C does not validate the size of the input before it starts copying the data into a statically allocated array inside the driver module itself in the .data section at address K7Sentry + 0xdaec8.

b9d05da0 837e0404 cmp dword ptr [esi+4],4
b9d05da4 7233 jb K7Sentry+0x9dd9
b9d05da6 8b4608 mov eax,dword ptr [esi+8]
b9d05da9 85c0 test eax,eax
b9d05dab 742c je K7Sentry+0x9dd9 (b9d05dd9)
b9d05dad  mov edx,offset K7Sentry+0xdaec8
b9d05db2 2bd0 sub edx,eax
b9d05db4 8a08 mov cl,byte ptr [eax]
b9d05db6 880c02 mov byte ptr [edx+eax],cl
b9d05db9 40 inc eax
b9d05dba 84c9 test cl,cl
b9d05dbc 75f6 jne K7Sentry+0x9db4
b9d05dbe 837e0c04 cmp dword ptr [esi+0Ch],4
b9d05dc2 7212 jb K7Sentry+0x9dd6
b9d05dc4 8b4610 mov eax,dword ptr [esi+10h]
b9d05dc7 8b4e14 mov ecx,dword ptr [esi+14h]
b9d05dca c70001000000 mov dword ptr [eax],1
b9d05dd0 c70104000000 mov dword ptr [ecx],4
b9d05dd6 33c0 xor eax,eax
b9d05dd8 c3 ret
b9d05dd9 b8010000c0 mov eax,0C0000001h
b9d05dde c3 ret

As shown above, this function will keep copying data to an array allocated in .data section of the driver which has a size of 0x800 bytes, until it finds a NULL byte which defines the end of an ASCII string, just like an inlined strcpy function. Since the function does not validate further the size of the data to copy against the size of the array, we are able to keep copying data that we fully control and overwrite other data and function pointers used by other functions.

Further details at:

All Rights R3v3rs3d