[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] McAfee File Lock Driver - Kernel Memory Leak

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>, "advisories@xxxxxxxxxxxxxxxxxxxxxxx" <advisories@xxxxxxxxxxxxxxxxxxxxxxx>, "vuln@xxxxxxxxxxx" <vuln@xxxxxxxxxxx>, "moderators@xxxxxxxxx" <moderators@xxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [FD] McAfee File Lock Driver - Kernel Memory Leak
From: Kyriakos Economou <keconomou@xxxxxxxxxxxxx>
Date: Tue, 26 Jan 2016 16:40:15 +0000

*             CVE: CVE-2015-8772
*             Vendor: McAfee - Intel Security
*             Reported by: Kyriakos Economou
*             Date of Release: 26/01/2016
*             Date of Fix: N/A
*             Affected Products: Multiple
*             Affected Version: McPvDrv.sys v4.6.111.0
*             Fixed Version: N/A


Description:
McAfee File Lock Driver does not handle correctly IOCTL_DISK_VERIFY IOCTL 
requests, which leads to kernel memory leak through specifically crafted 
IOCTLs. Normally the IOCTL_DISK_VERIFY IOCTL is used to verify an extent on a 
fixed disk and doesn't return any data.
We have verified this issue in the latest McAfee File Lock v5.x which ships 
with McAfee total protection suite. However, other products that include this 
package will also be affected.

Vulnerable module: McPvDrv.sys v4.6.111.0

Earlier versions of this kernel driver are probably affected by the same issue.


Impact:
A local attacker might be able to disclose sensitive information from kernel 
memory or crash the affected host.


Technical Details:

When we send an IOCTL_DISK_VERIFY IOCTL request the input buffer parameter of 
DeviceIoControl function must be a pointer to a VERIFY_INFORMATION data 
structure.

typedef struct _VERIFY_INFORMATION {
  LARGE_INTEGER StartingOffset;
  DWORD         Length;
} VERIFY_INFORMATION, *PVERIFY_INFORMATION;

The kernel memory leak is generated by the fact that the McPvDrv.sys driver 
doesn't validate the VERIFY_INFORMATION.Length which is controlled by our input 
buffer. Furthermore, the driver trusts that value as the size of the input 
buffer allocated in kernel space, causing the associated function to read data 
passed the size of the specified input buffer and read arbitrary data from 
kernel address space back to userland into a specified output buffer.

Disclosure Log:
Vendor Contacted: 16/09/2015
Request for feedback: 21/09/2015 - No response
Request for feedback: 08/10/2015 - No response
Request for feedback: 13/01/2016 - No response
Public Disclosure: 26/01/2016


Copyright:
Copyright (c) Nettitude Limited 2016, All rights reserved worldwide.

Disclaimer:
The information herein contained may change without notice. Any use of this 
information is at the user's risk and discretion and is provided with no 
warranties. Nettitude and the author cannot be held liable for any impact 
resulting from the use of this information.

Kyriakos Economou
Vulnerability Researcher

[logo]<http://www.nettitude.co.uk/>

P  +44 (0) 845 520 0085 ext 1189
F  +448455 200 222
keconomou@xxxxxxxxxxxxx<mailto:keconomou@xxxxxxxxxxxxx%0d>
www.nettitude.co.uk<http://www.nettitude.co.uk/>


Nettitude NEWS
#Nettitude awarded MSSP of the Year by LogRhythm
#Nettitude features on NBC<http://www.nettitude.com/nbc-interview/>
[Nettitude Awards]<http://www.nettitude.com/>
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
. . . . . . . . . . . . . . . . . . . . . . . . .
Nettitude Limited: 1 Jephson Court * Tancred Close * Leamington Spa * 
Warwickshire * CV31 3RZ
Nettitude Inc: 85 Broad Street * 17th Floor * New York * NY10004 * EIN 
No.36-4694227
Twitter<https://twitter.com/Nettitude_com> * 
LinkedIn<http://uk.linkedin.com/company/nettitude-group> * Google 
Plus<https://plus.google.com/+Nettitude-penetrationtesting/posts> * 
FaceBook<https://www.facebook.com/Nettitude> * 
YouTube<http://www.youtube.com/channel/UCRUUESU5OTfRte0P-pm2MZQ> * 
Threat2Alert<http://www.threat2alert.com/>
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
. . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . 
. . . . . . . . . . . . . . . . . . . . . . . . .
LOVE REFERRALS - please pass our contact details on 
solutions@xxxxxxxxxxxxx<mailto:solutions@xxxxxxxxxxxxx>. Thank you!

______________________________________________________________________
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager.

Nettitude employ a secure email policy for sending emails to customers. Should 
your email service support ESMTP, you will likely have received this email over 
TLS. We also utilise a backup secure service via Cisco Registered Envelope 
Service. For more information visit https://res.cisco.com/websafe/about

This footnote also confirms that this email message has been swept by a content 
checking tool for the presence of computer viruses.

Nettitude Limited is a Company registered in England
Registered Address
Nettitude Limited, 1 Jephson Court, Tancred Close, Leamington Spa, 
Warwickshire, CV31 3RZ
Company Registration Number: 4705154
VAT Number: 184 5171 96
www.nettitude.com
______________________________________________________________________

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] HCA0005 - Liberty Global - Horizon HD STB - predictable WiFi
Next by Date: [FD] McAfee File Lock Driver - Kernel Memory Leak
Previous by thread: [FD] HCA0005 - Liberty Global - Horizon HD STB - predictable WiFi
Next by thread: [FD] McAfee File Lock Driver - Kernel Memory Leak
Index(es):
- Date
- Thread