Secunia Research: AnywhereUSB Drivers IOCTL Handling Privilege Escalation Vulnerability

======================================================================

                    Secunia Research 03/08/2016

           LibGD "_gdContributionsAlloc()" Integer Overflow 
	              Denial of Service Vulnerability

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerabilities.......................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

* AnywhereUSB Drivers awusbsys.sys driver version 3.80.200.
  Prior versions may also be affected.

======================================================================
2) Severity

Rating: Less critical
Impact: Privilege escalation
Where:  From local system

======================================================================
3) Description of Vulnerabilities

Secunia Research has discovered a vulnerability in AnywhereUSB
Drivers, which can be exploited by malicious, local users to gain
escalated privileges.

The vulnerability is caused due to an error in the awusbsys.sys driver
when handling IOCTL requests 0x222008, 0x22200C, and 0x222010 and can
be exploited to execute arbitrary code with kernel privileges.

======================================================================
4) Solution

Update to version 3.82.207 (Rev N) June 2016.

======================================================================
5) Time Table

03/03/2016 - Request of security contact.
03/03/2016 - Vendor responds with PGP key, security contact, and
             request adjustment of preliminary release date.
07/03/2016 - Provided details to the vendor and preliminary release
             date adjusted to May 9, 2016.
08/03/2016 - Acknowledgement of receipt.
09/03/2016 - Provision of preliminary patches by the vendor.
11/03/2016 - Response that patches fix the issue.
10/05/2016 - Request of status as preliminary date has passed.
10/05/2016 - Vendor requests confirmation of the fix and
             requests delay of release.
11/05/2016 - Confirmation of fix.
30/05/2016 - Request of status update.
09/06/2016 - Further request of status update.
17/06/2016 - Release of Secunia Advisory SA68000 due to noticing
             public version release.
03/08/2016 - Public disclosure of Research Advisory.

======================================================================
6) Credits

Discovered by Dmitry Janushkevich, Secunia Research at Flexera
Software.

======================================================================
7) References

Currently no CVE identifier is assigned.

======================================================================
8) About Secunia (now part of Flexera Software)

In September 2015, Secunia has been acquired by Flexera Software:

https://secunia.com/blog/435/

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/products/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/company/jobs/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2016-10/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================