CVE-2018-6854 Information

Description

Sophos SafeGuard Enterprise before 8.00.5 SafeGuard Easy before 7.00.3 and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via multiple IOCTLs e.g. 0x8810200B 0x8810200F 0x8810201B 0x8810201F 0x8810202B 0x8810202F 0x8810203F 0x8810204B 0x88102003 0x88102007 0x88102013 0x88102017 0x88102027 0x88102033 0x88102037 0x88102043 and 0x88102047. When some conditions in the user-controlled input buffer are not met the driver writes an error code (0x2000001A) to a user-controlled address. Also note that all the aforementioned IOCTLs use transfer type METHOD_NEITHER which means that the I/O manager does not validate any of the supplied pointers and buffer sizes. So even though the driver checks for input/output buffer sizes it doesn’t validate if the pointers to those buffers are actually valid. So we can supply a pointer for the output buffer to a kernel address space address and the error code will be written there. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://seclists.org/fulldisclosure/2018/Jul/20 https://community.sophos.com/kb/en-us/131934 https://labs.nettitude.com/blog/cve-2018-6851-to-cve-2018-6857-sophos-privilege-escalation-vulnerabilities/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8