Secret Net 7 and Secret Net Studio 8 - Local Privilege Escalation

EDB-ID:

39520

CVE:

N/A


Author:

Cr4sh

Type:

local


Date:

2016-03-02


Source: https://github.com/Cr4sh/secretnet_expl

Secret Net 7 and Secret Net Studio 8 local privileges escalation exploit.

0day vulnerabilities in sncc0.sys kernel driver of Secrity Code products allows attacker to perform local privileges escalation from Guest to Local System. Also, attacker that has access to any Windows system may manually install sncc0.sys (that has valid digital signature from Security Code) and exploit it's vulnerability to bypass DSE and load unsigned kernel mode drivers on Windows x64 platforms.

For detailed vulnerability analysis and explanation of how sncc0_00220010_expl code works please read Windows DSE bypass part of my article "Exploiting SMM callout vulnerabilities in Lenovo firmware".

This exploit was tested with 64-bit versions of Windows 7, 8, 8.1 and 10. On SMEP enabled systems you have to manually restore original value of CR4 register to avoid PatchGuard bugchecks, for real life usage example please check my fwexpl project.


Proof of Concept:
https://github.com/Cr4sh/secretnet_expl/archive/master.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39520.zip