WinXP SP2: i2omgmt.sys Privilege Escalation Vulnerability in Security

WinXP SP2: i2omgmt.sys Privilege Escalation Vulnerability in Security http://www.dslreports.com/forum/r20473786 en Fri, 29 Aug 2008 21:50:22 EDT Fri, 29 Aug 2008 21:50:22 EDT Re: WinXP SP2: i2omgmt.sys Privilege Escalation Vulnerability http://www.dslreports.com/forum/remark,20475498 jdong :

said by dave

:

Isn't I2O a dead protocol?

Do many desktop systems use I2O?

A lot of fan drivers and SMC type chips use an I2C protocol though I don't know if they use the win32 API for it or their own implementation (i.e. your facny CPU/mobo monitoring apps)
--
Ubuntu MOTU Developer and Forums Council]]> http://www.dslreports.com/forum/remark,20475498 Tue, 13 May 2008 13:09:06 EDT Re: WinXP SP2: i2omgmt.sys Privilege Escalation Vulnerability http://www.dslreports.com/forum/remark,20475387 dave : Isn't I2O a dead protocol?

Do many desktop systems use I2O?]]> http://www.dslreports.com/forum/remark,20475387 Tue, 13 May 2008 12:48:04 EDT Re: WinXP SP2: i2omgmt.sys Privilege Escalation Vulnerability http://www.dslreports.com/forum/remark,20475197 SUMware : Looks like MS has provided an incentive to install SP3 (pretty please, or we'll leave your machine vulnerable). ;)

Also from original link:

quote:
III. ANALYSIS
Exploitation allows an attacker to elevate privileges by overwriting arbitrary system memory or executing code within kernel context. An attacker needs to log-in to the target machine to exploit this vulnerability.

This driver is related to I2O protocol and RAID devices. It is not present by default on every Windows installation. However, iDefense found this driver loaded on several systems we tested.

IV. DETECTION
iDefense has confirmed the existence of this vulnerability in i2omgmt.sys version 5.1.2600.2180 as installed on some Windows XP SP2 systems. All other Windows releases with this driver, including previous versions, are suspected to be vulnerable.

V. WORKAROUND
Removing write permissions for "Everyone" appears to prevent access to the vulnerable code. Although no side effects were witnessed in lab tests, normal functionality may be hindered.

]]> http://www.dslreports.com/forum/remark,20475197 Tue, 13 May 2008 12:13:19 EDT Re: WinXP SP2: i2omgmt.sys Privilege Escalation Vulnerability http://www.dslreports.com/forum/remark,20475186 jdong : Isn't this loaded by default on XP systems? Why wasn't this fixed when the vendor was notified? Grouping together minor bugfixes into a yearly big update is a good idea, but for priviledge escalation vulnerabilities is it really appropriate?
--
Ubuntu MOTU Developer and Forums Council]]> http://www.dslreports.com/forum/remark,20475186 Tue, 13 May 2008 12:10:45 EDT Re: WinXP SP2: i2omgmt.sys Privilege Escalation Vulnerability http://www.dslreports.com/forum/remark,20473880 Lanik :

quote:
VIII. DISCLOSURE TIMELINE

03/20/2007 Initial vendor notification
03/20/2007 Initial vendor response
05/12/2008 Coordinated public disclosure

Way to go M$ took them over a year to fix this, way to stay on top of it. :uhh:
--
"If it ain't broke don't fix it."]]> http://www.dslreports.com/forum/remark,20473880 Tue, 13 May 2008 04:42:42 EDT WinXP SP2: i2omgmt.sys Privilege Escalation Vulnerability http://www.dslreports.com/forum/remark,20473786 matunga : Local exploitation of an input validation vulnerability within version 5.1.2600.2180 of i2omgmt.sys, as included with Windows XP, could allow an attacker to execute arbitrary code in the context of the kernel.

Microsoft has addressed this issue within Windows XP Service Pack 3:
»labs.idefense.com/intelligence/v···p?id=699]]> http://www.dslreports.com/forum/remark,20473786 Tue, 13 May 2008 03:26:23 EDT