Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] CORE FORCE Kernel Buffer Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] CORE FORCE Kernel Buffer Overflow
Date: 20 Jan 2008 13:28:45 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  CORE FORCE Kernel Buffer Overflow
------------------------------------------------------------------------


SUMMARY

 <http://force.coresecurity.com/> CORE FORCE is "the first community 
oriented security solution for personal computers that  provides a 
comprehensive endpoint security solution for Windows 2000 and Windows XP 
systems".

CORE FORCE provides inbound and outbound stateful packet filtering for 
TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular 
file system and registry access control and programs' integrity 
validation. These capabilities can be configured and enforced system-wide 
or on a per-application basis for specific programs such as email readers, 
Web browsers, media players, messaging software, etc. The security 
framework provided by CORE FORCE is leveraged by a community of security 
experts that share their security configurations for a growing list of 
programs. These security profiles can be downloaded by any user of CORE 
FORCE from the community Web site and they're also completely open so that 
they can be peer-reviewed to minimize security hazards.

Locally exploitable kernel buffer overflow vulnerabilities and unproperly 
validated input arguments have been found in CORE FORCE Firewall and 
Registry modules. The vulnerabilities allow unprivileged logged on users 
to crash the system (denial of service), and they also may lead to a 
privilege escalation or even a local root exploit.

DETAILS

Vulnerable Systems:
 * CORE FORCE version 0.95.167 and below

Immune Systems:
 * CORE FORCE version 0.95.172

Technical Description / Proof of Concept Code
The firewall functionality of CORE FORCE is as a port of OpenBSD's PF 
firewall implemented as an NDIS complaint kernel driver that mediates 
communications between the Network card and the TCP/IP stack of the 
operating system. Thus stateful, bi-directional firewalling rules can be 
enforced independently of the Windows OS firewall capabilities and at a 
deeper layer, closer to the wire. The kernel driver is accessible to a 
user mode application via IOCTL functions.

There are 4 IOCTL functions on the firewall driver module that use input 
received from userspace and do not validate the length of the input 
buffers properly. By calling any of these IOCTLs from with properly 
crafted arguments, an unprivileged user could trigger vulnerabilities in 
the driver and cause a denial of service or potentially to execute 
arbitrary code with elevated privileges.

Similarly other 7 SSDT hook handler functions on the driver that 
intercepts the Registry access on Windows are vulnerable to input
validation errors.

All the vulnerabilities can be reproduced by running a combination of DC2 
and BSODHook tools.

Step by step instructions:
- Get DC2.exe (Driver Path Verifier) from the latest Windows Driver Kit.
- Login as unprivileged user.
- Run "dc2 /hct /a".
- Get BSODHook.exe from Matousec [3].
- Click on "Load Driver" then click on "Find SSDT hooks" then "Add to 
probe list" and then "GO".

Report Timeline
2007-11-04: Initial notification by independent researcher Sebastian 
Gottschalk.
2007-11-05: Email acknowledging reception of the bug reports and 
indicating that looking into the report would probably take Core more than 
a week. Core requested details to reproduce a second type of bug related 
to hooking of the SSDT.
2007-11-05: Email from Sebastian Gottschalk indicating that the BSODhook 
from Matousec [3] could be used to reproduce the SSDT hooking problems.
2007-11-19: A fix is produced by the Core Force team. Core asks the 
researcher whether he wants to be credited for the discovery in the 
advisory.
2007-11-22: Sebastian Gottschalk accepts to be credited.
2007-11-28: Email sent to Sebastian Gottschalk indicating the Core found a 
bug in the fix and will have to delay publication of a fixed version of 
Core Force.
2007-11-29: New fix committed by the Core Force team.
2007-12-17: Other functions were also found vulnerable in the Registry 
module.
2008-01-07: New fix committed by the Core Force team.
2008-01-17: CORE-2007-1119 advisory is published.

References
[1] CORE FORCE:  <http://force.coresecurity.com/> 
http://force.coresecurity.com/
[2] Driver testing:  <http://blogs.msdn.com/ravig/default.aspx> 
http://blogs.msdn.com/ravig/default.aspx
[3]  
<http://www.matousec.com/projects/windows-personal-firewall-analysis/plague-in-security-software-drivers.php>
 
http://www.matousec.com/projects/windows-personal-firewall-analysis/plague-in-security-software-drivers.php


ADDITIONAL INFORMATION

The information has been provided by  <mailto:advisories@coresecurity.com> 
CORE Security Technologies Advisories.
The original article can be found at:  
<http://www.coresecurity.com/?action=item&id=2025> 
http://www.coresecurity.com/?action=item&id=2025



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] CORE FORCE Kernel Buffer Overflow, SecuriTeam <=
Previous by Date:  [NT] Cisco Call Manager CTLProvider Heap Overflow Vulnerability, SecuriTeam
Next by Date:  [NT] SocksCap Hostname Resolution Stack Overflow, SecuriTeam
Previous by Thread:  [NT] Cisco Call Manager CTLProvider Heap Overflow Vulnerability, SecuriTeam
Next by Thread:  [NT] SocksCap Hostname Resolution Stack Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]