A kernel vulnerability exists in an antivirus product called “System Shield AntiVirus and AntiSpyware” by Iolo Technologies. This is an arbitrary memory overwrite vulnerability due to the inputted buffer not being validated and has been assigned a CVE ID of CVE-2018-5701. The product version of “System Shield AntiVirus and AntiSpyware” tested on is 5.0.0.136 and the vulnerable version of the driver “amp.sys” is 5.4.11.1.
Due to no response from the vendor for the last few weeks I’m going public with this one. Another one of their products “System Mechanic Pro” on version 15.5.0.61 is also affected from this vulnerability as it gets shipped with the same version of the driver as is bundled with “System Shield AntiVirus and AntiSpyware”. There is however an update downloader link on the site for “System Mechanic Pro” bringing it to version 17.5.0.116 where the vulnerable driver has been removed.
To get to our arbitrary write a number of conditions had to be satisfied in a number of subroutines, the main disassembly screen shots shown below.
To exploit I’m overwriting the _SEP_TOKEN_PRIVILEGES structure with the fixed value of 0xFFFFFFFE. You can play with the offsets to get different number of privileges but with the offsets I chose I ended up looking like this below
kd> dt nt!_SEP_TOKEN_PRIVILEGES fffff8a002cc4a30+40 +0x000 Present : 0xff`fffffe00 +0x008 Enabled : 0xff`fffffe00 +0x010 EnabledByDefault : 0x800000
Looking at the number of privileges obtained we have a few to choose from for our exploit.
kd> !token fffff8a002cc4a30 _TOKEN fffff8a002cc4a30 TS Session ID: 0x1 User: S-1-5-21-2231847605-3015871416-1385684711-1001 Groups: 00 S-1-5-21-2231847605-3015871416-1385684711-513 Attributes - Mandatory Default Enabled 01 S-1-1-0 Attributes - Mandatory Default Enabled 02 S-1-5-114 Attributes - DenyOnly 03 S-1-5-32-545 Attributes - Mandatory Default Enabled 04 S-1-5-32-544 Attributes - DenyOnly 05 S-1-5-4 Attributes - Mandatory Default Enabled 06 S-1-2-1 Attributes - Mandatory Default Enabled 07 S-1-5-11 Attributes - Mandatory Default Enabled 08 S-1-5-15 Attributes - Mandatory Default Enabled 09 S-1-5-113 Attributes - Mandatory Default Enabled 10 S-1-5-5-0-1059199 Attributes - Mandatory Default Enabled LogonId 11 S-1-2-0 Attributes - Mandatory Default Enabled 12 S-1-5-64-10 Attributes - Mandatory Default Enabled 13 S-1-16-8192 Attributes - GroupIntegrity GroupIntegrityEnabled Primary Group: S-1-5-21-2231847605-3015871416-1385684711-513 Privs: 09 0x000000009 SeTakeOwnershipPrivilege Attributes - Enabled 10 0x00000000a SeLoadDriverPrivilege Attributes - Enabled 11 0x00000000b SeSystemProfilePrivilege Attributes - Enabled 12 0x00000000c SeSystemtimePrivilege Attributes - Enabled 13 0x00000000d SeProfileSingleProcessPrivilege Attributes - Enabled 14 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - Enabled 15 0x00000000f SeCreatePagefilePrivilege Attributes - Enabled 16 0x000000010 SeCreatePermanentPrivilege Attributes - Enabled 17 0x000000011 SeBackupPrivilege Attributes - Enabled 18 0x000000012 SeRestorePrivilege Attributes - Enabled 19 0x000000013 SeShutdownPrivilege Attributes - Enabled 20 0x000000014 SeDebugPrivilege Attributes - Enabled 21 0x000000015 SeAuditPrivilege Attributes - Enabled 22 0x000000016 SeSystemEnvironmentPrivilege Attributes - Enabled 23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 24 0x000000018 SeRemoteShutdownPrivilege Attributes - Enabled 25 0x000000019 SeUndockPrivilege Attributes - Enabled 26 0x00000001a SeSyncAgentPrivilege Attributes - Enabled 27 0x00000001b SeEnableDelegationPrivilege Attributes - Enabled 28 0x00000001c SeManageVolumePrivilege Attributes - Enabled 29 0x00000001d SeImpersonatePrivilege Attributes - Enabled 30 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled 31 0x00000001f SeTrustedCredManAccessPrivilege Attributes - Enabled 32 0x000000020 SeRelabelPrivilege Attributes - Enabled 33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes - Enabled 34 0x000000022 SeTimeZonePrivilege Attributes - Enabled 35 0x000000023 SeCreateSymbolicLinkPrivilege Attributes - Enabled 36 0x000000024 Unknown Privilege Attributes - Enabled 37 0x000000025 Unknown Privilege Attributes - Enabled 38 0x000000026 Unknown Privilege Attributes - Enabled 39 0x000000027 Unknown Privilege Attributes - Enabled Authentication ID: (0,1029c8) Impersonation Level: Anonymous TokenType: Primary Source: User32 TokenFlags: 0x2a00 ( Token in use ) Token ID: 13d229 ParentToken ID: 1029cb Modified ID: (0, 139e0a) RestrictedSidCount: 0 RestrictedSids: 0000000000000000 OriginatingLogonSession: 3e7
For exploiting I decided to use the “SeTakeOwnershipPrivilege” privilege. The idea I had was to take ownership of a Windows Service key and have the ability to start it. The service I found was the “Windows Installer” service.
So the steps were to:
- Take ownership of the key HKLM\SYSTEM\CurrentControlSet\services\msiserver
- Change the “ImagePath” value to our command or executable we which want to run
- Start the service by running “msiexec.exe /i poc.msi /quiet”
- Restore all settings
Here poc.msi doesn’t really exist but by initiating an msi install will start the service and run our command. Trying to get an interactive shell is another matter as we have to deal with “Session 0 Isolation” which I haven’t really looked into so decided to use the net command to add the account to the local administrators group.
The exploit can be downloaded from here [zip]
Nice write up – where can I get the vulnerable app? I checked IOLO’s website and the exploitdb but I can’t find 5.0.0.136
For “System Shield AntiVirus and AntiSpyware” you’ll need to run the downloader which downloads the main installation package but then you’ll need to also request a license. Best just to download “System Mechanic Pro” and install as a trial, this downloads the entire package and no license is required for installation
http://download.iolo.net/sm/15/pro/en/iolo/trial/SystemMechanicPro_15.5.0.61.exe
Hello.
Thanks for this demonstration!
I have a question. With this exploit, can we access to the winlogon.exe and open a handle for read and write memory?
Kind regards,
Yes you can as “SeDebugPrivilege” is also enabled
Why doesn’t it work with csrss.exe?
pHandle = OpenProcess(PROCESS_VM_READ, 0, 428); //my csrss PID
printf(“> pHandle: %d || %s\n”, pHandle, pHandle);
i got: 0 || (null)
It should work, most likely haven’t got the necessary privilege
Oh yes, thanks. But can you help me with “SeDebugPrivilege”. What offset?
Kind regards,
The SeDebugPrivilege is already enabled in this exploit, what you can do it use a previous exploit of mine which uses shellcode being injected in the winlogon process.
Thanks for nice write up. I want to study this case, so I’ve downloaded the link
http://download.iolo.net/sm/15/pro/en/iolo/trial/SystemMechanicPro_15.5.0.61.exe.
And opened amp.sys file with IDA pro, but I could not find the code related to ctl code 0x00226003. How can I find it?
Best just do a text search for 226003 and only one entry will be listed
Thanks! I found with its hex byte ’03 60 22′ in IDA search and reached vulnerable function.