In the kernel code for the setitimer() system call the 'which' parameter (which is a signed integer) is validated with the mistaken assumption that the value cannot be negative. Passing a negative value for this parameter results in writing into an array indexed with the 'which' parameter and overwriting memory outside the array. This exploit overwrites the current credential structure of the current process to set the user id to 0 (root) then launches a new agent.
The nfds (number of file descriptors) argument to the select() system call is a signed integer. Bounds checking code in the kernel evaluates this argument in a signed context. By passing negative arguments it is possible to cause the kernel to copy a large amount of data from userspace into a buffer on the stack, overflowing the allocated space. This module exploits the vulnerability to lower the system security level to -1 and launches an agent with root privileges.
A vulnerability exists in the system component that handles the Virtual DOS Machine (VDM) subsystem. A local attacker may exploit this vulnerability in order to run code with elevated privileges, fully compromising the vulnerable computer. This module exploits that vulnerability to change the agent's process access token, gaining SYSTEM privileges.
This module exploits a memory corruption vulnerability in Norman Security Suite Nprosec.sys driver when handling IOCTL 0x00220210. This vulnerability allows unprivileged local users to execute code with SYSTEM privileges. This module will elevate the privileges of the current agent instead of installing a new one.
After successful exploitation an agent will be installed. The process being exploited is the winlogon process. Execute the 'RevertToSelf' module after exploitation to get SYSTEM access.
Subscribe to Impact