Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Compuware SoftICE Local DoS (DbgMsg Driver)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Compuware SoftICE Local DoS (DbgMsg Driver)
Date: 31 May 2005 18:20:33 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Compuware SoftICE Local DoS (DbgMsg Driver)
------------------------------------------------------------------------


SUMMARY

Compuware's SoftICE is "a powerful system-wide debugger that supports 
source level debugging of any software, driver, service, and most BIOS 
code on either a single or dual machine configuration".

By crafting a special interrupt request for interrupt 2d, an attacker can 
cause a denial of service to SoftICE which in turn will cause the entire 
operating system to crash.

DETAILS

Vulnerable Systems:
 * DriverStudio version 3.2
 * DriverStudio version 3.1

On Windows NT based operating systems Debug Messages are being sent by 
executing the OutputDebugString API (ring3 applications) or by executing 
DbgPrint() function (also known as KdPrint(), mostly used by ring0 
"applications").

However only kernel mode functions can execute the DbgPrint() function, 
due to the fact that it is a function exported by NTDLL.DLL. By 
disassembling the calls of the function, the out put will show that it 
uses INT 2Dh.

Code Snips:
mov ecx,offset some_string      ; Debug Message offset
xor edx,edx                     ; second Param (NULL in this case)
mov eax,1                       ; Service Type here defined as
                                ; BREAKPOINT_PRINT (=1)

int 2dh
int 3
nop                        <--- int 2dh returns here not to int 3

Therefore when SoftICE is installed, the driver DbgMsg.sys is loaded (user 
should also notice that even when SoftICE is not active, the system is 
still vulnerable because of the driver), executed 2d interrupt will be 
firstly filtered by DbgMsg.sys routine (This is probably provided to give 
the ability to capture Debug Messages and display them into the debugger 
window).

However the driver doesn't validate the Debug Message pointer properly, 
this can cause an machine to crash when the pointer is invalid.

Executing a specially crafted "int 2dh" request will cause local machine 
to crash on system with DbgMsg.sys driver installed, *even* when SoftICE 
is not active. This attack can be also used as a very nasty anti-debugging 
trick against SoftICE users.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:bania.piotr@gmail.com> Piotr 
Bania .
The original article can be found at:  
<http://pb.specialised.info/all/adv/sice-adv.txt> 
http://pb.specialised.info/all/adv/sice-adv.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Compuware SoftICE Local DoS (DbgMsg Driver), SecuriTeam <=
Previous by Date:  [NT] Stronghold DoS, SecuriTeam
Previous by Thread:  [NT] Stronghold DoS, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]