| Advisory NTIADV0809 | |
| mks_vir (mksmonen.sys) Privilege Escalation Vulnerability | |
| Vendor | MKS Sp. z o. o. |
| Affected Software | mks_vir 9 BETA < 1.2.0.0 - build 297 |
| Affected Driver | mksmonen.sys |
| Date Reported | 2008-10-17 |
| Release Date | 2009-03-07 |
| Status | Fixed - mks_vir 9 BETA build 297 |
| Exploit | MksMonEn_Exp.zip - Local Privilege Escalation Exploit |
| Disclosure Timeline |
2008-10-17 - Vulnerability reported to vendor 2008-10-21 - Vendor response 2008-11-15 - Status update request 2008-11-20 - Vendor response 2008-12-12 - Status update request 2008-12-12 - Vendor response 2008-12-16 - Partial update released by the vendor 2008-12-16 - Vulnerability reported to vendor a second time 2008-12-16 - Vendor response 2009-01-27 - Status update request (no response) 2009-02-27 - Status update request (no response) 2009-01-26 - Second update released by the vendor 2009-03-07 - Full technical details released to general public |
| Description | |
| Mks_vir is prone to a local privilege escalation vulnerability, which could be exploited by local users in order o execute arbitrary code with kernel privileges. | |
| Details | |
The problem specifically exists within the IOCTL handling code in the mksmonen.sys device driver. The device driver fails to validate user supplied addresses passed to IOCTLs. All IOCTLs are generated as METHOD_NEITHER.
...
.text:000113A7 @@ioctl_0x95FE0007:
.text:000113A7 cmp [ebp+InputBufferLength], 4
.text:000113AB jnb short @@buffer_length_ok
.text:000113AD
.text:000113AD @@invalid_device_request:
.text:000113AD mov dword ptr [ebx], STATUS_INVALID_DEVICE_REQUEST
.text:000113B3 jmp @@exit
.text:000113B8
.text:000113B8 @@buffer_length_ok:
.text:000113B8 mov eax, [ebp+InputBuffer]
.text:000113BB mov dword ptr [eax], offset scanimpl ; Type3InputBuffer[0] <- 0xXXXXXXXX
.text:000113C1 jmp @@exit
...
| |