Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NGSEC-2004-7] NtRegmon, local system denial of service.

from [labs@NGSEC] Network Security [Permanent Link]
Subject: [NGSEC-2004-7] NtRegmon, local system denial of service.
Date: Wed, 25 Aug 2004 11:34:37 +0200 (CEST) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                   Next Generation Security Technologies
                          http://www.ngsec.com
                            Security Advisory


       Title:   NtRegmon, local system denial of service.
          ID:   NGSEC-2004-7
 Application:   NtRegmon (http://www.sysinternals.com/ntw2k/source/regmon.shtml)
        Date:   14/Aug/2004
      Status:   Patched version available (6.12).
 Platform(s):   Windows OSs.
      Author:   Fermín J. Serna <fjserna@ngsec.com>
    Location:   http://www.ngsec.com/docs/advisories/NGSEC-2004-7.txt


Overview:
- ---------

NtRegmon is a Registry monitoring utility that will show you which applications
are accessing your Registry, which keys they are accessing, and the Registry
data that they are reading and writing - all in real-time. 

For its task NtRegmon hooks some kernel mode funtions (Registry functions) for
its logging purposes.

Regmon suffer from an unvalidated pointer referencing in some of this kernel
hooks. 

While any privileged user is using NtRegmon, any local and unauthorized user 
can crash the system.


Technical description:
- ----------------------

NtRegmon is a Registry monitoring utility that will show you which applications
are accessing your Registry, which keys they are accessing, and the Registry
data that they are reading and writing - all in real-time.


For its task NtRegmon hooks some kernel mode funtions (Registry functions) for
its logging purposes.

Regmon suffers from some unvalidated pointer referencing in some of this kernel
hooks. In example NtRegmon hooks ZwSetQueryValue declared as follows:

  NTSTATUS ZwSetQueryValue(DWORD KeyHandle, DWORD ValueName, DWORD TitleIndex,
                           DWORD Type, DWORD Data, DWORD DataSize);

The problem exists because NtRegmon does not properly check if some argument
pointers are valid or not. While any privileged user is using Regmon, any local
and unauthorized user can crash the system.

Sample exploitation cand be found:

         http://www.ngsec.com/downloads/exploits/ntregmon-dos.c


Recommendations:
- ----------------
Upgrade to NtRegmon version 6.12.

- --
More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc

Copyright(c) 2002-2004 NGSEC. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBLFeCKrwoKcQl8Y4RAjxYAKCYw9QhDRCxnJSXd2HFt9Zp/pRgYwCfQynV
/bdl2s6PNLcuP6kXn5pRSlg=
=P5Yq
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NGSEC-2004-7] NtRegmon, local system denial of service., labs@NGSEC <=
Previous by Date:  Computer Network Defence Vulnerability Alert State, Andy Cuff
Next by Date:  CDE libDtHelp LOGNAME Buffer Overflow Vulnerability, Jérôme
Previous by Thread:  Computer Network Defence Vulnerability Alert State, Andy Cuff
Next by Thread:  CDE libDtHelp LOGNAME Buffer Overflow Vulnerability, Jérôme
Indexes:  [Date] [Thread] [Top] [All Lists]