| New User, Welcome! Login |
Blue Screen
> (different computers, both 64-bit) even with creating 200 connections.
> Could you provide more information on your setup?
>
> Tim Medin wrote:
>> Creating multiple RDP connection at the same time causes Windows to
>> Blue Screen. Here is the Proof of Concept code.
>>
>> for /L %i in (1,1,20) do mstsc /v:127.0.0.%i
>>
>> It does work on Windows 7 and some Vista installations.
>> -Tim Medin
On Sep 8, 2009, at 11:35 AM, Tim Medin wrote:
> Creating multiple RDP connection at the same time causes Windows to
> Blue Screen. Here is the Proof of Concept code.
>
> for /L %i in (1,1,20) do mstsc /v:127.0.0.%i
>
> It does work on Windows 7 and some Vista installations.
> -Tim Medin
(different computers, both 64-bit) even with creating 200 connections.
Could you provide more information on your setup?
Tim Medin wrote:
> Creating multiple RDP connection at the same time causes Windows to
> Blue Screen. Here is the Proof of Concept code.
>
> for /L %i in (1,1,20) do mstsc /v:127.0.0.%i
>
> It does work on Windows 7 and some Vista installations.
> -Tim Medin
Creating multiple RDP connection at the same time causes Windows to
Blue Screen. Here is the Proof of Concept code.
for /L %i in (1,1,20) do mstsc /v:127.0.0.%i
It does work on Windows 7 and some Vista installations.
-Tim Medin
=======
A buffer overflow vulnerability exists in a system driver used by the
Cisco Security Agent for Microsoft Windows. This buffer overflow can be
exploited remotely and causes corruption of kernel memory, which leads
to a Windows stop error (blue screen) or to arbitrary code execution.
The vulnerability is triggered during processing of a crafted TCP
segment destined to TCP port 139 or 445. These ports are used by the
Microsoft Server Message Block (SMB) protocol.
III. ANALYSIS
Exploitation allows an attacker to kill any process, including critical
system processes like services.exe, lsass.exe, csrss.exe. Killing a
system process usually results in a blue screen or a mandatory reboot
message. To exploit this vulnerability, the attacker must know the
process ID to terminate. For a remote attacker, it can brute force
process ID and cause the system to crash.
IV. DETECTION
> visibility, and therefore customersinstall the patches quicker." ...
> When someone "full discloses" a vulnerability, there is no patch to
> install quicker. This is obvious because there is no patch until either
> the vendor releases one, or staff using the product are capable of
> creating a work-around. In the case of the SCADA environment, we (again)
> are not talking about the potential of a defacement, blue screen, silly
> shell, we're talking about sensor, gears and often so much automation
> that it would be absurd for a SCADA engineer to "go it alone" and try
> create their own patch. Many of these systems don't have the option of
> failing or being taken offline. You also state: "Without public
> visibility, they will keep running the old code" the reality is, no one
Since this buffer overflow overwrites kernel memory, it could be possible that members of the Network Configuration Operator group exploit this and take control over the operating system without any restriction.
Impact
-----------------------------
1. When adding a route entry to the IPv4 routing table using the method CreateIpForwardEntry2 and passing an illegal value greater than 32 [2] for the destination PrefixLength member in the DestinationPrefix structure contained in the MIB_IPFORWARD_ROW2 structure [3], kernel space memory is being corrupted resulting in random blue screen crashes. The crash does not always occur instantly after executing the provided sample program; it may take a while until the corrupted memory is accessed, causing the operating system to crash with a blue screen. It seems that larger illegal values [2] trigger the crash earlier, during research in our labs it proved that passing the illegal values 129 and 255 accelerates the occurrence of the crash.
2. In addition we were able to reproduce this issue without the sample program, using the built in "route add" command. It seems the "route-add" uses the same method as our sample program, hence creates the same buffer overflow when calling it with an illegal value for the network mask. The syntax we used in the command line is as follows:
route add 1.2.3.4/240 4.3.2.1
We have found that BitDefender Antivirus, Rising Antivirus, Comodo
Firewall and Sophos Antivirus have hooks that do not properly validate
the arguments of the hooked functions before accessing them, and lead to
the program trying to reference some invalid memory, leading in some
scenarios to a BSOD (Blue Screen of Death).
In our tests we used the kernel hooks probing tool BSODhook [5] in order
to find any kind of insufficient argument validation of hooked SSDT
functions. From Matousec paper [6]:
No, it is not obvious that no patch is available. Quite often patches
or upgrades do exist, but it has not been deployed. Sometimes the
SCADA vendor is responsible for trying to charge more, also.
> In the case of the SCADA environment, we (again)
> are not talking about the potential of a defacement, blue screen, silly
> shell, we're talking about sensor, gears and often so much automation
> that it would be absurd for a SCADA engineer to "go it alone" and try
> create their own patch. Many of these systems don't have the option of
> failing or being taken offline. You also state: "Without public
> visibility, they will keep running the old code" the reality is, no one
space memory as many times as necessary to modify kernel code or kernel
pointers to subsequently get code execution in ring 0 context (that
means, with system privileges).
This is the Proof of Concept I have made to trigger and show the
vulnerability. This will generate a Blue Screen of Death (BSOD) trying
to write to an unpaged kernel mode address (0x80808080) but any other
arbitrary address could be used.
/-----------
> visibility, and therefore customersinstall the patches quicker." ...
> When someone "full discloses" a vulnerability, there is no patch to
> install quicker. This is obvious because there is no patch until either
> the vendor releases one, or staff using the product are capable of
> creating a work-around. In the case of the SCADA environment, we (again)
> are not talking about the potential of a defacement, blue screen, silly
> shell, we're talking about sensor, gears and often so much automation
> that it would be absurd for a SCADA engineer to "go it alone" and try
> create their own patch. Many of these systems don't have the option of
> failing or being taken offline. You also state: "Without public
> visibility, they will keep running the old code" the reality is, no one
|
|
|
