Privilege escalation through driver bug in Windows
Security services provider iDefense has warned of vulnerabilities in the i2omgmt.sys I2O driver in Windows XP, which can be exploited by local users to escalate their privileges. The driver is used on servers to perform tasks such as managing RAID controllers.
One flaw is that incorrect access rights to the \\.\I2OExc interface are provided by the device driver. This allows Everyone write access, so that all users have access, despite the fact that this should be reserved for privileged users. In addition, the driver’s input and output routines (IOCTLs) fail to check buffers passed by the user, so that users can overwrite arbitrary memory and execute external code with maximum privileges.
According to iDefense, version 5.1.2600.2180 of the i2omgmt.sys driver in Windows XP SP2 and possibly older versions are vulnerable. Although the driver is intended for servers, the iDefense research team found that the driver is loaded on many client systems. Service Pack 3 for Windows XP contains the updated version 5.1.2600.5512 of the driver, in which the bug has been fixed.
- Microsoft Windows I2O Filter Utility Driver (i2omgmt.sys) Local Privilege Escalation Vulnerability, security advisory from iDefense