A couple of vulnerabilities in Sophos HitmanPro.Alert could enable an attacker to build a stable exploit to gain SYSTEM rights on the local machine.
Sophos HitmanPro.Alert is a threat-protection solution based on heuristic algorithms that detect and block malicious activity. Some of these algorithms need kernel-level access to gather the appropriate information they need. The software's core functionality has been implemented in the `hmpalert.sys` kernel driver by Sophos. According to a blog post by researchers at Cisco Talos, two vulnerabilities were discovered in the `hmpalert.sys` driver's IO control handler of the software.
Researchers used the `OSR Device Tree` tool to analyse the `hmpalert.sys` driver's access rights. They said that any user logged into the system can obtain a handler to the `hmpalert` device and send an I/O request to it. the I/O handler related to this vulnerability is triggered by the IOCTL code `0x2222CC.`
With three parameters under control, researchers were able to build a proof of concept exploit to trigger the vulnerability.
"This looks like it could work, but it's not enough to create a fully working exploit. We need to dig into the `inLsassRegions` function and see how exactly the `srcAddress` parameter is tested. We have to check if we will be able to predict this memory content and turn our limited `arbitrary write` access into a fully working `write-what-where` vulnerability," said researchers.
Researchers said that the exploit was not a "typical `write-what-where` vulnerability like you see in the common exploitation training class", but they did not need to be too creative to exploit this flaw.
The exploit process is based on the research presented by Morten Schenk during his presentation at the BlackHat USA 2017 conference. It also includes modifications from Mateusz "j00ru" Jurczyk, which he included in his paper "Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)."
The researchers made a few changes to this to get the exploit to work. To simplify memory operations, researchers wrote a class using the found memory operation primitives in the hmpalert.sys driver.
With a fully working exploit, the researchers tested it to see if it could get system level privileges on a machine. The exploit was detected by the `HitmanAlert.Pro's` anti-zero-day detection engine. Researchers then looked at the software’s exploit log to see that the exploit’s code was executed, but the spawned elevated console has been terminated.
Researcher then looked at HitmanAlert.Pro's engine to find out where this function is implemented.
"The Microsoft Windows API provides the `PsSetCreateProcessNotifyRoutine,` which can be used to monitor process creation in the OS. Searching for this API call in the `hmpalert.sys` driver, IDA shows a couple of calls," said researchers.
Researchers said that due to the many anti-exploitation features in today's operating systems, weaponising vulnerabilities can often be arduous, "but this particular vulnerability shows that we can still use some Windows kernel-level flaws to easily exploit bugs in modern Windows systems".
Update: Sophos has patched the vulnerability and published a Knowledge Base article on it containing information on how users can rectify the issue.