Symantec PGP Desktop Vulnerability (0 day)

1.Description:

The pgpwded.sys kernel driver distributed with Symantec PGP Desktop contains
an arbitrary memory overwrite vulnerability in the handling of IOCTL 0x80022058.
Exploitation of this issue allows an attacker to execute arbitrary code
within the kernel.
An attacker would need local access to a vulnerable computer to exploit
this vulnerability.

Affected application: Symantec PGP Desktop 10.2.0 Build 2599 (up-to date).
Affected file: pgpwded.sys version 10.2.0.2599.

2.Vulnerability details:

function at 0x10024C20 is responsible for dispatching ioctl codes:

.text:10024C20 ; int __thiscall ioctl_handler_deep(int this, int ioctl, PVOID inbuff, unsigned int inbuff_size, unsigned int outbuff_size, PDWORD bytes_to_return)
.text:10024C20 ioctl_handler_deep proc near            ; CODE XREF: sub_10007520+6A p
.text:10024C20
.text:10024C20 DestinationString= UNICODE_STRING ptr -3Ch
.text:10024C20 var_31          = byte ptr -31h
.text:10024C20 var_30          = dword ptr -30h
.text:10024C20 some_var        = dword ptr -2Ch
.text:10024C20 var_28          = dword ptr -28h
.text:10024C20 var_24          = byte ptr -24h
.text:10024C20 var_5           = byte ptr -5
.text:10024C20 var_4           = dword ptr -4
.text:10024C20 ioctl           = dword ptr  8
.text:10024C20 inbuff          = dword ptr  0Ch
.text:10024C20 inbuff_size     = dword ptr  10h
.text:10024C20 outbuff_size    = dword ptr  14h
.text:10024C20 bytes_to_return = dword ptr  18h
.text:10024C20
.text:10024C20                 push    ebp
.text:10024C21                 mov     ebp, esp
.text:10024C23                 sub     esp, 3Ch
.text:10024C26                 mov     eax, BugCheckParameter2
.text:10024C2B                 xor     eax, ebp
.text:10024C2D                 mov     [ebp+var_4], eax
.text:10024C30                 mov     eax, [ebp+ioctl]
.text:10024C33                 push    ebx
.text:10024C34                 mov     ebx, [ebp+inbuff]
.text:10024C37                 push    esi
.text:10024C38                 mov     esi, [ebp+bytes_to_return]
.text:10024C3B                 add     eax, 7FFDDFD8h
.text:10024C40                 push    edi
.text:10024C41                 mov     edi, ecx
.text:10024C43                 mov     [ebp+some_var], esi
.text:10024C46                 mov     [ebp+var_28], 0
.text:10024C4D                 cmp     eax, 0A4h       ; switch 165 cases
.text:10024C52                 ja      loc_10025B18    ; jumptable 10024C5F default case
.text:10024C58                 movzx   eax, ds:byte_10025BF0[eax]
.text:10024C5F                 jmp     ds:off_10025B50[eax*4] ; switch jump

[..]

0x80022058 case: no check for outbuff_size == 0! <--- FLAW!

.text:10024F5A                 lea     ecx, [edi+958h]
.text:10024F60                 call    sub_100237B0
.text:10024F65                 mov     [ebp+some_var], eax
.text:10024F68                 test    eax, eax
.text:10024F6A                 jnz     short loc_10024F7D
.text:10024F6C                 mov     dword ptr [ebx], 0FFFFCFFAh
.text:10024F72                 mov     dword ptr [esi], 10h <--- bytes to copy to output buffer

next in IofComplete request will be rep movsd at pointer, that is under attacker's control

Due the type of vulnerability (METHO_BUFFERED with output_size == 0) exploit works only on Windows XP/2k3, cause in later Windows OS I/O manager doesn't craft IRP if ioctl is METHOD_BUFFERED and output_size == 0.