Advisory NTIADV0812
CloneCD/CloneDVD/Virtual CloneDrive/AnyDVD & AnyDVD HD (ElbyCDIO.sys) Multiple Vulnerabilities
VendorSlySoft Inc.
Affected SoftwareCloneCD < 5.3.1.4
CloneDVD < 2.9.2.2
Virtual CloneDrive < 5.4.2.5
AnyDVD & AnyDVD HD < 6.5.2.8
Affected DriverElbyCD Windows NT/2000/XP I/O driver - ElbyCDIO.sys < 6.0.3.2
Date Reported2008-12-23
Release Date2009-03-18
StatusFixed
ExploitElbyCDIO_Exp.zip - Local Privilege Escalation Exploit
Disclosure Timeline2008-12-23 - Vulnerability reported to vendor
2008-12-23 - Vendor response
2009-01-24 - Status update request
2009-01-29 - Vendor response (First incomplete update released)
2009-01-31 - Vendor response (Second update released)
2009-02-07 - Vulnerability reported to vendor (Updated)
2009-02-11 - Vendor response
2009-03-06 - Vendor released fixed version
2009-03-12 - Public disclosure by Positive Technologies Research Team
2009-03-18 - Public disclosure by NT Internals
Description:
CloneCD/CloneDVD/Virtual CloneDrive/AnyDVD & AnyDVD HD are prone to a local privilege escalation vulnerabilities that occurs in the ElbyCDIO.sys driver.
Details
The vulnerability is caused due to the IOCTL handler of the ElbyCDIO.sys < = 6.0.1.2 driver improperly processing user space parameters. This can be exploited to overwrite an arbitrary address and execute arbitrary code in kernel space via a specially crafted IOCTL. The ElbyCDIO allows to create/open/delete registry keys, create file and close user supplied handles. 

		...
		.text:00011772  @@ioctl_overwrite_ulong :
		.text:00011772                  cmp     dword ptr [ebp-20h], 4         ; OutputBufferLength 
		.text:00011776                  jnz     @@invalid_parameter 
		.text:0001177C                  mov     eax, [ecx+3Ch]                 ; UserBuffer 
		.text:0001177F                  mov     dword ptr [eax], 0Fh           ; UserBuffer[0] = 0x0000000F 
		.text:00011785 
		.text:00011785  @@set_status_success :
		.text:00011785                  xor     ebx, ebx
		.text:00011787                  jmp     @@complete_request 
		...
Update - 07 February 2009
The ElbyCDIO.sys < = 6.0.2.0 does not validate enough embedded pointers passed in user space supplied parameters. An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. 

		...
		.text:0001169B @@ioctl_22E087:
		.text:0001169B                  cmp     dword ptr [ebp-20h], 0Ch       ; InputBufferLength < 0x0C ?
		.text:0001169F                  jb      @@set_information
		.text:000116A5                  mov     eax, [esi+10h]                 ; InputBuffer
		.text:000116A8                  mov     esi, [eax+8]                   ; InputBuffer[2]
		.text:000116AB                  mov     edx, [eax]                     ; InputBuffer[0]
		.text:000116AD                  add     edx, 1Ch
		.text:000116B0                  push    10h
		.text:000116B2                  pop     ecx
		.text:000116B3                  xor     eax, eax
		.text:000116B5                  mov     edi, edx                       ; DestAddress
		.text:000116B7                  rep stosd                              ; memzero
		.text:000116B9                  cmp     esi, ebx                       ; InputBuffer[2] == 0 ?
		.text:000116BB                  jz      short @@complete_request
		.text:000116BD                  xor     ecx, ecx
		.text:000116BF
		.text:000116BF @@loop:
		.text:000116BF                  mov     eax, [esi]                     ; eax = InternalBuffer[0]
		.text:000116C1                  cmp     eax, ebx                       ; InternalBuffer[0] == 0 ?
		.text:000116C3                  jz      short @@complete_request
		.text:000116C5                  mov     [edx], eax                     ; DestAddress[i] = InternalBuffer[i]
		.text:000116C7                  add     edx, 4
		.text:000116CA                  add     esi, 4
		.text:000116CD                  inc     ecx
		.text:000116CE                  cmp     ecx, 0Fh
		.text:000116D1                  jb      short @@loop
		...
Copyright © 2oo8-2oo9 NT Internals. All rights reserved.