View Issue Details

IDProjectCategoryView StatusLast Update
0000987SpeedFanOtherpublic2007-10-01 23:34
ReporterrubenAssigned Toalfredo 
PrioritynormalSeveritymajorReproducibilityalways
Status acknowledgedResolutionopen 
Platformx86_64OSVistaOS VersionVista x64
Product Version4.33 
Target VersionFixed in Version 
Summary0000987: Speedfan.sys IOCTL Dispatch Handlers privilege escalation
DescriptionSpeedfan.sys is exposed via "\Device\speedfan".

User-mode programs can issue privileged IOCTLs (IOCTL_RDMSR 0x9C402438 && IOCTL_WRMSR 0x9C40243C) to the driver in order to read or write arbitrary MSRs. For instance, hijacking the MSR_LSTAR an attacker can execute code within the Kernel context.

There is another flaw within the handler for the IOCTL 0x9c402420 which can cause the machine to crash (theorically it might be possible to execute arbitrary code as well, but is very unlikely) because of improper buffer checking.

There is a proof-of-concept available at http://kartoffel.reversemode.com/downloads.php


 
TagsNo tags attached.
Motherboard Model
Video Card Model

Activities

alfredo

2007-10-01 14:41

manager   ~0003006

Which is the fix you suggest?

alfredo

2007-10-01 14:55

manager   ~0003007

By the way, isn't Kernel Patch Protection there to prevent this from happening?

ruben

2007-10-01 15:08

reporter   ~0003008

Restrict the MSRs a user can read/write would be the basic fix. I guess that you are implementing this feature in order to access some thermal information so the driver should block those MSRs that are not related with that field.

PatchGuard verifies certain Kernel structures/areas every 5/10 minutes, on the other hand an attacker just need few miliseconds to exploit this issue.

alfredo

2007-10-01 15:43

manager   ~0003010

I will create a list of valid registers. This will force me to update the driver more often than I want, but I prefer security.
I'm going to fix it this evening. Then I will have to remember how to sign the driver :-)

ruben

2007-10-01 15:52

reporter   ~0003011

Nice, thanks for your efforts :)
Keep up the good work!

alfredo

2007-10-01 16:44

manager   ~0003012

Actually, I think that I will completely disable writing to the MSR.
Is there any security issue, in your opinion, in reading an arbitrary MSR?

ruben

2007-10-01 23:34

reporter   ~0003014

Not really, maybe some sort of information leak but nothing really important I think.

Issue History

Date Modified Username Field Change
2007-10-01 13:57 ruben New Issue
2007-10-01 13:57 ruben Status new => assigned
2007-10-01 13:57 ruben Assigned To => alfredo
2007-10-01 14:41 alfredo Note Added: 0003006
2007-10-01 14:41 alfredo Status assigned => acknowledged
2007-10-01 14:55 alfredo Note Added: 0003007
2007-10-01 15:08 ruben Note Added: 0003008
2007-10-01 15:43 alfredo Note Added: 0003010
2007-10-01 15:52 ruben Note Added: 0003011
2007-10-01 16:44 alfredo Note Added: 0003012
2007-10-01 23:34 ruben Note Added: 0003014