Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
[NGSEC-2004-6] IPD, local system denial of service.
Aug 17 2004 11:01AM
labs@NGSEC (labs ngsec com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Next Generation Security Technologies
http://www.ngsec.com
Security Advisory
Title: IPD, local system denial of service.
ID: NGSEC-2004-6
Application: IPD up to 1.4 (http://www.pedestalsoftware.com/)
Date: 14/Aug/2004
Status: Vendor contacted on 14/Aug/2004.
Platform(s): Windows OSs.
Author: Fermín J. Serna <fjserna (at) ngsec (dot) com [email concealed]>
Location: http://www.ngsec.com/docs/advisories/NGSEC-2004-6.txt
Overview:
- ---------
The IPD (Integrity protection driver) is an Open Source device driver
designed to prohibit the installation of new services and drivers and
to protect existing driver from tampering. It installs on Windows NT
and Windows 2000 computers.
In its security approach IPD hooks some kernel mode funtions and filters
them allowing or not their original purposes based on IPD's security
policy.
IPD suffers from an unvalidated pointer referencing in some of this kernel
hooks.
Technical description:
- ----------------------
The IPD (Integrity protection driver) is an Open Source device driver
designed to prohibit the installation of new services and drivers and
to protect existing driver from tampering. It installs on Windows NT
and Windows 2000 computers.
IPD is available for download at:
http://www.pedestalsoftware.com/download/ipd.zip
In its security approach IPD hooks some kernel mode funtions and filters
them allowing or not their original purposes based on IPD's securit
policy.
IPD suffers from some unvalidated pointer referencing in some of this kernel
hooks. In example IPD hooks ZwOpenSection declared as follows:
NTSTATUS ZwOpenSection(HANDLE Handle, DWORD mask, DWORD oa);
The problem exists because IPD does not properly check wether "oa" pointer
is valid or not. Any local and unauthorized user can crash the system with
some simple coding skills.
Sample exploitation cand be found:
http://www.ngsec.com/downloads/exploits/ipd-dos.c
Recommendations:
- ----------------
Since the vendor has discontinued the development and support of IPD,
NGSEC recomends to uninstall IPD or perform a deep source security audit
before re-enabling it.
- --
More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc
Copyright(c) 2002-2004 NGSEC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBIeBaKrwoKcQl8Y4RAja+AJ9AAcQ+kbSlzihym+HNYA3Eje0oigCfSuKH
8Y5J6HnjXR1bYOBbCL1Jn9A=
=+YTS
-----END PGP SIGNATURE-----
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Next Generation Security Technologies
http://www.ngsec.com
Security Advisory
Title: IPD, local system denial of service.
ID: NGSEC-2004-6
Application: IPD up to 1.4 (http://www.pedestalsoftware.com/)
Date: 14/Aug/2004
Status: Vendor contacted on 14/Aug/2004.
Platform(s): Windows OSs.
Author: Fermín J. Serna <fjserna (at) ngsec (dot) com [email concealed]>
Location: http://www.ngsec.com/docs/advisories/NGSEC-2004-6.txt
Overview:
- ---------
The IPD (Integrity protection driver) is an Open Source device driver
designed to prohibit the installation of new services and drivers and
to protect existing driver from tampering. It installs on Windows NT
and Windows 2000 computers.
In its security approach IPD hooks some kernel mode funtions and filters
them allowing or not their original purposes based on IPD's security
policy.
IPD suffers from an unvalidated pointer referencing in some of this kernel
hooks.
Technical description:
- ----------------------
The IPD (Integrity protection driver) is an Open Source device driver
designed to prohibit the installation of new services and drivers and
to protect existing driver from tampering. It installs on Windows NT
and Windows 2000 computers.
IPD is available for download at:
http://www.pedestalsoftware.com/download/ipd.zip
In its security approach IPD hooks some kernel mode funtions and filters
them allowing or not their original purposes based on IPD's securit
policy.
IPD suffers from some unvalidated pointer referencing in some of this kernel
hooks. In example IPD hooks ZwOpenSection declared as follows:
NTSTATUS ZwOpenSection(HANDLE Handle, DWORD mask, DWORD oa);
The problem exists because IPD does not properly check wether "oa" pointer
is valid or not. Any local and unauthorized user can crash the system with
some simple coding skills.
Sample exploitation cand be found:
http://www.ngsec.com/downloads/exploits/ipd-dos.c
Recommendations:
- ----------------
Since the vendor has discontinued the development and support of IPD,
NGSEC recomends to uninstall IPD or perform a deep source security audit
before re-enabling it.
- --
More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc
Copyright(c) 2002-2004 NGSEC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBIeBaKrwoKcQl8Y4RAja+AJ9AAcQ+kbSlzihym+HNYA3Eje0oigCfSuKH
8Y5J6HnjXR1bYOBbCL1Jn9A=
=+YTS
-----END PGP SIGNATURE-----
[ reply ]