Local exploitation of multiple design error vulnerabilities within multiple Check Point Zone Alarm products could allow an attacker to gain elevated privileges.
The problem specifically exists within the IOCTL handling code in the srescan.sys device driver. The device driver fails to validate user-land supplied addresses passed to IOCTL 0x22208F and IOCTL 0x2220CF.
Since the Irp parameters are not correctly validated, an attacker could utilize this IOCTL to overwrite arbitrary memory. In the case of IOCTL 0x2220CF, the attacker can write the constant double-word value of 0x30000. In the case of IOCTL 0x22208F, the attacker can write the contents of a buffer returned from ZwQuerySystemInformation.
Labs.iDefense
Reply With Quote