Advisory NTIADV0902 (Accelerated Disclosure)
RISING Antivirus 2008/2009/2010 Privilege Escalation Vulnerability
VendorBeijing Rising International Software Co.,Ltd.
Affected SoftwareRISING Antivirus 2008/2009/2010
Affected DriverRsNTGDI - RsNTGdi.sys
Date Reported2009-04-20
Release Date2010-01-23
Status(2010-01-23) Not fixed
(2010-04-27) Fully Fixed - fixed driver is available through software automatic update
ExploitRsNTGdi_Exp.zip - Local Privilege Escalation Exploit
Disclosure Timeline 2009-04-20 - Vulnerability reported to vendor
2009-04-21 - Vendor response
2010-01-23 - Full technical details released to general public
2010-04-27 - Vendor provide fully fixed driver
Description
Kernel module (RsNTGdi.sys) shipped with RISING Antivirus 2008/2009/2010 contains vulnerabilities in the code that handles IOCTL requests. Local exploitation of multiple vulnerabilities allow an attacker to execute arbitrary code in kernel context. All users can obtain handle of unprotected device "\\Device\\RSNTGDI" and exploit vulnerable function handling IOCTL requests.


		.text:0001036E ; int __stdcall DispatchControl(int DeviceObject, PIRP Irp)
		.text:0001036E DispatchControl proc near
		.text:0001036E
		.text:0001036E NtStatus = dword ptr -4
		.text:0001036E DeviceObject = dword ptr 8
		.text:0001036E Irp = dword ptr 0Ch
		.text:0001036E
		.text:0001036E                 push    ebp
		.text:0001036F                 mov     ebp, esp
		.text:00010371                 push    ecx
		.text:00010372                 push    ebx
		.text:00010373                 push    esi
		.text:00010374                 mov     esi, [ebp+Irp]
		.text:00010377                 and     [ebp+NtStatus], 0
		.text:0001037B                 push    edi
		.text:0001037C                 mov     ecx, [esi+60h]
		.text:0001037F                 and     dword ptr [esi+1Ch], 0
		.text:00010383                 mov     edi, [esi+3Ch]
		.text:00010386                 mov     eax, [ecx+10h]
		.text:00010389                 mov     edx, [ecx+8]
		.text:0001038C                 mov     ebx, [ecx+4]
		.text:0001038F                 mov     ecx, [ecx+0Ch]
		.text:00010392                 cmp     ecx, 83003C03h
		.text:00010398                 mov     [ebp+Irp], ebx
		.text:0001039B                 jz      @@ioctl_83003C03
		.text:000103A1                 cmp     ecx, 83003C07h
		.text:000103A7                 jz      @@ioctl_83003C07
		.text:000103AD                 cmp     ecx, 83003C0Bh
		.text:000103B3                 jz      @@ioctl_83003C0B
		.text:000103B9                 cmp     ecx, 83003C0Fh
		.text:000103BF                 jz      short @@ioctl_83003C0F
		.text:000103C1                 cmp     ecx, 83003C13h
		.text:000103C7                 jz      short @@ioctl_83003C13
		.text:000103C9                 cmp     ecx, 83003C17h
		.text:000103CF                 jz      short @@ioctl_83003C17
		.text:000103D1                 mov     [ebp+NtStatus], 0C000000Dh
		.text:000103D8                 jmp     @@complete_request
		...
		.text:00010458 @@ioctl_83003C0B:
		.text:00010458                 push    4
		.text:0001045A                 pop     ebx
		.text:0001045B                 cmp     edx, ebx
		.text:0001045D                 jb      short @@complete_request
		.text:0001045F                 cmp     [ebp+Irp], ebx
		.text:00010462                 jb      short @@complete_request
		.text:00010464                 push    dword ptr [eax]
		.text:00010466                 call    VidSetTextColor
		.text:0001046B                 mov     [edi], eax
		.text:0001046D                 mov     [esi+1Ch], ebx
		.text:00010470                 jmp     short @@complete_request
		...
		
Copyright © 2oo8-2oo9 NT Internals. All rights reserved.