An Access Control List (ACL) bypass in the F-Secure Gatekeeper driver allows local privilege escalation through kernel memory corruption.
It was discovered that it is possible to bypass the Access Control List (ACL) for the F-Secure Gatekeeper device driver, even when access rights is given only to an Administrator or SYSTEM account. This is caused by the missing flag of FILE_DEVICE_SECURE_OPEN when creating an object. A successful bypass of the ACL will allow an attacker to manipulate the kernel buffer allocation, resulting in a memory corruption. Successful exploitation will result in a local privilege escalation of a normal user account to an administrator or system account.
|fsgk.sys||10.80.110.65||Fix is available in the automatic update channel for all affected products. No user action is needed if automatic updates is enabled.|
F-Secure Corporation would like to thank Ilja van Sprundel from IOActive and Thierry Decroix for bringing this issue to our attention.
Date Issued: 2015-09-01