View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000987||SpeedFan||Other||public||2007-10-01 13:57||2007-10-01 23:34|
|Platform||x86_64||OS||Vista||OS Version||Vista x64|
|Target Version||Fixed in Version|
|Summary||0000987: Speedfan.sys IOCTL Dispatch Handlers privilege escalation|
|Description||Speedfan.sys is exposed via "\Device\speedfan".|
User-mode programs can issue privileged IOCTLs (IOCTL_RDMSR 0x9C402438 && IOCTL_WRMSR 0x9C40243C) to the driver in order to read or write arbitrary MSRs. For instance, hijacking the MSR_LSTAR an attacker can execute code within the Kernel context.
There is another flaw within the handler for the IOCTL 0x9c402420 which can cause the machine to crash (theorically it might be possible to execute arbitrary code as well, but is very unlikely) because of improper buffer checking.
There is a proof-of-concept available at http://kartoffel.reversemode.com/downloads.php
|Tags||No tags attached.|
|Video Card Model|
||Which is the fix you suggest?|
||By the way, isn't Kernel Patch Protection there to prevent this from happening?|
Restrict the MSRs a user can read/write would be the basic fix. I guess that you are implementing this feature in order to access some thermal information so the driver should block those MSRs that are not related with that field.
PatchGuard verifies certain Kernel structures/areas every 5/10 minutes, on the other hand an attacker just need few miliseconds to exploit this issue.
I will create a list of valid registers. This will force me to update the driver more often than I want, but I prefer security.
I'm going to fix it this evening. Then I will have to remember how to sign the driver :-)
Nice, thanks for your efforts :)
Keep up the good work!
Actually, I think that I will completely disable writing to the MSR.
Is there any security issue, in your opinion, in reading an arbitrary MSR?
||Not really, maybe some sort of information leak but nothing really important I think.|
|2007-10-01 13:57||ruben||New Issue|
|2007-10-01 13:57||ruben||Status||new => assigned|
|2007-10-01 13:57||ruben||Assigned To||=> alfredo|
|2007-10-01 14:41||alfredo||Note Added: 0003006|
|2007-10-01 14:41||alfredo||Status||assigned => acknowledged|
|2007-10-01 14:55||alfredo||Note Added: 0003007|
|2007-10-01 15:08||ruben||Note Added: 0003008|
|2007-10-01 15:43||alfredo||Note Added: 0003010|
|2007-10-01 15:52||ruben||Note Added: 0003011|
|2007-10-01 16:44||alfredo||Note Added: 0003012|
|2007-10-01 23:34||ruben||Note Added: 0003014|