HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

CERT-In Vulnerability Note CIVN-2008-56
Microsoft Windows I2O Filter Utility Driver (i2omgmt.sys) Local Privilege Escalation Vulnerability

Original Issue Date: May 13, 2008

Severity Rating: High

System Affected

  • Windows XP Service Pack 2
  • Windows XP Service Pack 1
  • Windows XP Professional Edition
  • Windows XP Home Edition

Overview

A vulnerability has been reported in Windows XP windows I2O filter utility driver. That could be exploited by a local attacker to execute arbitrary code in the context of kernel.

Description

Intelligent Input/Output (I2O) is a defunct computer input/output (I/O) specification. i2omgmt.sys is a Windows driver for the I2O Utility Filter.

The vulnerability caused due to input validation error in i2omgmt.sys version 5.1.2600.2180, specifically due to insecure permissions on \\.\I2OExc device interface. The permission on this device allows “Everyone” write access. This allows locally logged-in user accessing functionality which is designed for privileged use only. In addition to this, IOCTL handlers for this device interface improperly validate user-mode buffer passed to them.

An attacker can exploit this vulnerability by supplying a specially crafted fake DeviceObject pointer to user-mode address to possibly overwrite arbitrary memory or to execute arbitrary code on the target system with kernel privileges.

Workaround

  • Removing write permissions for "Everyone" appears to prevent access to the vulnerable code.

Solution

Apply Microsoft Windows XP Service Pack 3.

Vendor Information
Microsoft
http://www.microsoft.com/downloads/details.aspx?FamilyID
=5b33b5a8-5e76-401f-be08-1e1555d4f3d4&displaylang=en

References

iDefence Labs
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=699

SecurityTracker
http://www.securitytracker.com/alerts/2008/May/1020006.html

SecuriTeam
http://www.securiteam.com/windowsntfocus/5EP0B0UOAO.html

CVE-Name
CVE-2008-0322

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003