'[FD] McAfee File Lock Driver - Kernel Memory Leak'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] McAfee File Lock Driver - Kernel Memory Leak
From:       Kyriakos Economou <keconomou () nettitude ! com>
Date:       2016-01-26 16:46:01
Message-ID: 061CC584260B7B46BD912F126E8C92360B679B21 () GB01MAIL00 ! nettitude ! com
[Download RAW message or body]

* CVE: CVE-2015-8772
* Vendor: McAfee - Intel Security
* Reported by: Kyriakos Economou
* Date of Release: 26/01/2016
* Date of Fix: N/A
* Affected Products: Multiple
* Affected Version: McPvDrv.sys v4.6.111.0
* Fixed Version: N/A

Description:
McAfee File Lock Driver does not handle correctly IOCTL_DISK_VERIFY IOCTL r=
equests, which leads to kernel memory leak through specifically crafted IOC=
TLs. Normally the IOCTL_DISK_VERIFY IOCTL is used to verify an extent on a =
fixed disk and doesn't return any data.
We have verified this issue in the latest McAfee File Lock v5.x which ships=
 with McAfee total protection suite. However, other products that include t=
his package will also be affected.

Vulnerable module: McPvDrv.sys v4.6.111.0

Earlier versions of this kernel driver are probably affected by the same is=
sue.

Impact:
A local attacker might be able to disclose sensitive information from kerne=
l memory or crash the affected host.

Technical Details:

When we send an IOCTL_DISK_VERIFY IOCTL request the input buffer parameter =
of DeviceIoControl function must be a pointer to a VERIFY_INFORMATION data =
structure.

typedef struct _VERIFY_INFORMATION {
  LARGE_INTEGER StartingOffset;
  DWORD         Length;
} VERIFY_INFORMATION, *PVERIFY_INFORMATION;

The kernel memory leak is generated by the fact that the McPvDrv.sys driver=
 doesn't validate the VERIFY_INFORMATION.Length which is controlled by our =
input buffer. Furthermore, the driver trusts that value as the size of the =
input buffer allocated in kernel space, causing the associated function to =
read data passed the size of the specified input buffer and read arbitrary =
data from kernel address space back to userland into a specified output buf=
fer.

Disclosure Log:
Vendor Contacted: 16/09/2015
Request for feedback: 21/09/2015 - No response
Request for feedback: 08/10/2015 - No response
Request for feedback: 13/01/2016 - No response
Public Disclosure: 26/01/2016

URL: https://www.nettitude.co.uk/mcafee-file-lock-driver-kernel-memory-leak/

Copyright:
Copyright (c) Nettitude Limited 2016, All rights reserved worldwide.

Disclaimer:
The information herein contained may change without notice. Any use of this=
 information is at the user's risk and discretion and is provided with no w=
arranties. Nettitude and the author cannot be held liable for any impact re=
sulting from the use of this information.

Kyriakos Economou
Vulnerability Researcher

[logo]<http://www.nettitude.co.uk/>

P  +44 (0) 845 520 0085 ext 1189
F  +448455 200 222
keconomou@nettitude.com<mailto:keconomou@nettitude.com%0d>
www.nettitude.co.uk<http://www.nettitude.co.uk/>

Nettitude NEWS
#Nettitude awarded MSSP of the Year by LogRhythm
#Nettitude features on NBC<http://www.nettitude.com/nbc-interview/>
[Nettitude Awards]<http://www.nettitude.com/>
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .=
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . =
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Nettitude Limited: 1 Jephson Court * Tancred Close * Leamington Spa * Warwi=
ckshire * CV31 3RZ
Nettitude Inc: 85 Broad Street * 17th Floor * New York * NY10004 * EIN No.3=
6-4694227
Twitter<https://twitter.com/Nettitude_com> * LinkedIn<http://uk.linkedin.co=
m/company/nettitude-group> * Google Plus<https://plus.google.com/+Nettitude=
-penetrationtesting/posts> * FaceBook<https://www.facebook.com/Nettitude> *=
 YouTube<http://www.youtube.com/channel/UCRUUESU5OTfRte0P-pm2MZQ> * Threat2=
Alert<http://www.threat2alert.com/>
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .=
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . .=
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LOVE REFERRALS - please pass our contact details on solutions@nettitude.com=
<mailto:solutions@nettitude.com>. Thank you!

______________________________________________________________________
This email and any files transmitted with it are confidential and intended =
solely for the use of the individual or entity to whom they are addressed. =
If you have received this email in error please notify the system manager.

Nettitude employ a secure email policy for sending emails to customers. Sho=
uld your email service support ESMTP, you will likely have received this em=
ail over TLS. We also utilise a backup secure service via Cisco Registered =
Envelope Service. For more information visit https://res.cisco.com/websafe/=
about

This footnote also confirms that this email message has been swept by a con=
tent checking tool for the presence of computer viruses.

Nettitude Limited is a Company registered in England
Registered Address
Nettitude Limited, 1 Jephson Court, Tancred Close, Leamington Spa, Warwicks=
hire, CV31 3RZ
Company Registration Number: 4705154
VAT Number: 184 5171 96
www.nettitude.com
______________________________________________________________________

["image001.png" (image/png)]
["image002.jpg" (image/jpeg)]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
--===============7189661890987576427==--

[prev in list] [next in list] [prev in thread] [next in thread] 