stop error
ZwQueryObject() method or
ObReferenceObjectByHandle()/ObQueryNameString() methods. Input buffers
for both IRP packets include user mode pointers which are completely
user-controllable. However, no checks regarding NULL pointers, invalid
input buffer length, or otherwise invalid pointers are made - user can
pass NULL input buffer and thus cause a BSOD.
Vulnerable code disassembly excerpt:
---
.text:1000120B push 0
.text:1000120D push 1000h
space memory as many times as necessary to modify kernel code or kernel
pointers to subsequently get code execution in ring 0 context (that
means, with system privileges).
This is the Proof of Concept I have made to trigger and show the
vulnerability. This will generate a Blue Screen of Death (BSOD) trying
to write to an unpaged kernel mode address (0x80808080) but any other
arbitrary address could be used.
/-----------
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss.
* Buffer overflow in system driver causes BSOD (CSCsl00618)
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
We have found that BitDefender Antivirus, Rising Antivirus, Comodo
Firewall and Sophos Antivirus have hooks that do not properly validate
the arguments of the hooked functions before accessing them, and lead to
the program trying to reference some invalid memory, leading in some
scenarios to a BSOD (Blue Screen of Death).
In our tests we used the kernel hooks probing tool BSODhook [5] in order
to find any kind of insufficient argument validation of hooked SSDT
functions. From Matousec paper [6]:
Release Date: 15/08/2009
+-------------------------------------------------+
Product: TheGreenBow VPN Client 4.61.003 (other versions could be affected)
Affected Component: tgbvpn.sys
Category: Local Denial of Service (BSOD)
(untested) Local Privilege Escalation
+-------------------------------------------------+
code within the CAB archive. There is no inspection of the content
at all.
Trendmicro decided to no patch the evasion bugs and proposed mitigation
recommendations, the reason given is that doing so would somehow increase
the risk of "buffer overflow and BSOD". I am positive that adding more
code and increase detection rates is probably going to increase your chances
to have such flaws but then again, the goal is to catch as much malware
as possible.
This is fine with me as long as customers exactly know what risk they run
ignored, here the Public Disclosure.
+--------------------------------------------------------------------------+
Product: Avast antivirus 4.8.1351.0 (other versions could be affected)
Affected Component: aswMon2.sys 4.8.1351.0
Category: Local Denial of Service due to kernel memory corruption (BSOD)
(untested) Local Privilege Escalation
+---------------------------------------------------------------------------+
--------------------------[Details]--------------->
Web Site: http://www.novell.com/products/clients/
Platform: Windows
Bug: Local Stack overflow / B.S.O.D (unauthentificated user)
Impact: Critical
-------------------------------------------------------
1) Introduction
Description:
==========
Windows is a popular operating system released by Microsoft. Carefully crafted
EXE files in PE format in floppy disks, movable storage devices or network
shares might lead to BSOD or even privilege escalation on Windows.
Windows kernel will parse and process the accessed PE files. When traversing
the chains the kernel does not correctly validate if the pointer is NULL, therefore
carefully crafted PE files might trigger access to illegal memory addresses
within the kernel, leading to BSOD of system restart. Locally logged in users
======================
Affected Product: Avast antivirus (other versions could be affected)
Product Version: 4.8.1356.0
Vulnerable Compoonent: aswRdr.sys 4.8.1356.0 (avast! TDI RDR Driver)
Category: Local Denial of Service due to kernel memory corruption (BSOD)
(untested) Local Privilege Escalation
Notes: Tested on XP Sp0-Sp2 fixed faulting process IExplorer 6
======================
Details:
There is a vulnerability in AhnLab Antivirus, which allows an attacker
to cause a BSOD(Blue Screen Of Death), or, potentially arbitrary code execution.
This vulnerability can be exploited By persuading a user to a website.
While parsing the .ZIP file, AhnLab Antivirus Library does not
properly check the value of
BSOD or hard system hang due to race condition in win32k. sys code that processes UnhookWindowsHookEx. Reproduced when thread calls many times UnhookWindowsHookEx in the same time with switching active windows desktop object (SwitchDesktop) from desktop where hooks are unhooked and broadcasting windows messages to windows on that desktop. Sample exploit code can be downloaded from: http://killprog.com/whk.zip Works on Win'2k3 and Vista. XP seems to be immune to this.
//----- Description of vulnerability
kl1.sys driver don't check inputs address of an IOCTL. An exception can be
thrown if we modify one or two DWORDs.
With my test I can't do best exploitation than a BSOD.
//----- Credits
http://www.sysdream.com
http://ghostsinthestack.org
Hi all,
Just for the records since the vulnerability is not only a DoS as stated
initially. Below are the technical details I found while verifying the flaw.
* This vulnerability is not only a BSOD flaw. It allows remote code
execution. The execution of code is far from being reliable though (at
the momment).
The flaw is a out-of-bounds indexing. We can fully control the 16 bit
value used as index within the function table.
-----Original Message-----
From: nobody@nowhere.com [mailto:nobody@nowhere.com]
Sent: Wednesday, September 09, 2009 3:29 PM
To: bugtraq@securityfocus.com
Subject: Re: Re: Multiple RDP Connections BSOD DOS
Cannot reproduce.
Win32k.sys in DispatchMessage when the last call to xxxDefWindowProc, this function in dealing with some
Message, will call gapfnScSendMessage this function table function to process,
which under the deal 2000/xp/2003 0x4c No. message, there will be SfnINSTRING function called this function when the lParam is not empty,
direct that the lParam is a memory pointer, and pull data directly from the address
despite the use of the function of the SEH, but as long as the kernel address transmission errors will still cause the system BSOD
Exploit code:
# Include "stdafx.h"
Release Date:
Release Date. 23 December ,2008
Description:
PGP Desktop 's PGPweded.sys Driver does not sanitize user supplied input (IOCTL) and this lead to a Driver Collapse that propagates on the system with a BSOD. Affected IOCTL is 0x80022038.
Proof-of-Concept:
<a href="http://www.evilfingers.com/advisory/PGPDesktop_9_0_6_Denial_Of_Service_POC.php">Click Here</a>
Credit:
for server and desktop computing systems.
A driver bundled with Cisco Security Agent for Windows does not correctly
check the data length provided by users when processing a SMB packet, which
might trigger a stack buffer overflow in the system kernel. A remote attacker
might cause system with CSA installed to restart or BSOD. By sending carefully
crafted data an attacker might cause remote code execution, thus gains complete
control over the system.
By default CSA allows access to TCP ports 139 and 445. After establishing a
session to TCP ports 139 and 445, an attacker can complete an exploitation
Win32k.sys in DispatchMessage when the last call to xxxDefWindowProc, this function in dealing with some
Message, will call gapfnScSendMessage this function table function to process, which under the deal 2000/xp/2003
0x4c No. message, there will be a function called SfnLOGONNOTIFY, this function again when the wParam == 4/13/12
When the data directly from the lParam inside out, despite the use of the function of the SEH, but as long as the kernel passes the wrong address, will still lead to
BSOD
Pseudo-code:
if (wParam == 4 | | wParam == 13 | | wParam == 12)
(
|
