Security Alerts
November 13, 2007
Campus Security Notice: Zero-Day Vulnerability in Macrovision Secdrv Driver
A zero-day vulnerability was disclosed within a 3rd party driver that is
shipped with all versions of Windows XP and Windows 2003. This driver,
secdrv.sys, was developed by Macrovision as part of SafeDisc. The
vulnerability allows a local non-privileged user to elevate his/her
privileges to Local System, leading to complete system compromise.
This vulnerability requires a user to be logged in locally or executing code
on a host, and can be accomplished remotely via remote desktop
applications such as Citrix and Windows Terminal Services (RDP). A few
Stanford hosts were recently compromised via the Critix route, and it is
imperative that measures be undertaken to remove the vulnerable driver from
Windows 2003 Server hosts. An alternate route of entry would be to combine
an exploit for this vulnerability with another user-based remote exploit
(e.g. worm). This would allow the attacker to launch a remote attack, to
execute code that would then launch this attack, and subsequently elevate
system privileges.
Since there is no patch released to date from either Microsoft or
Macrovision, at the moment we recommend the vulnerable driver be removed
from installed Windows 2003 Server hosts here on campus. The ITS Windows
Systems Team has provided steps to manually remove the driver via the
command line interface, and to restore it (backout) if necessary.
If a backout strategy is needed, backup (export) the original secdrv
registry key and save a copy of "secdrv.sys" to a temp directory (or
removable
disk) before performing the removal steps. For example, you can create a
temp directory "c:\secdrv" for the registry key and the driver.
In this case, you can run RegEdt32 for the command line, navigate to the
following registry key:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Secdrv"
and export it ( File/export....) to the temp directory. Then copy the secdrv
driver to the temp directory (or flash drive):
Copy c:\windows\system32\drivers\secdrv.sys c:\secdrv
You will import the registry key back into the system if you choose to
backout, and these steps are detailed below.
---------------------------------------------------------------------------------------------------------------------------
To uninstall "secdrv.sys" from Windows 2003 Server, run the following
script with administrator privilege:
REM ***** (remark) Stops driver if running *****
sc stop secdrv
REM ***** Deletes vuln driver from OS **********
sc delete secdrv
REM ***** Deletes vuln driver file from file systems ******
del c:\windows\system32\drivers\secdrv.sys
REM ****** Done! ********
--------------------------------------------------------------------------------------------------------------------------
To restore secdrv.sys (backout) on Windows 2003 Server, run the following
with administrator privilege:
REM ***** Copy the driver back to the system driver directory *******
Copy c:\secdrv\secdrv.sys c:\windows\system32\drivers
REM ***** Import/merge the backup "secdrv.sys" registry key - auto import
by double clicking the exported registry file, or via RegEdt32
(File/import...)
REM **** Recreate the Secdrv service *****************
sc create secdrv binpath= c:\windows\system32\drivers\secdrv.sys
REM ***** Start the secdrv service in necessary (if it was running
before)
sc start secdrv
REM ***** Done
!! Note the space character between "=" and
"c:\windows\system32\drivers\secdrv.sys"
An alternate method to restore "secdrv.sys" is to omit the "SC create" step
and reboot the server.
When the removal process satisfactory, you can delete the secdrv driver
from temp folder.
The ISO would like to thank Jason Craig, Sean Riordan, and the ITS Windows
Systems Group for their assistance and support.
Reference:
http://www.securityfocus.com/bid/26121/info
http://research.eeye.com/html/alerts/zeroday/20071016.html