lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040825093437.9E03E1FDAD@blackpill.ngsec.com>
Date: Wed, 25 Aug 2004 11:34:37 +0200 (CEST)
From: labs@...EC <labs@...ec.com>
To: bugtraq@...urityfocus.com
Subject: [NGSEC-2004-7] NtRegmon, local system denial of service.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                   Next Generation Security Technologies
                          http://www.ngsec.com
                            Security Advisory


       Title:   NtRegmon, local system denial of service.
          ID:   NGSEC-2004-7
 Application:   NtRegmon (http://www.sysinternals.com/ntw2k/source/regmon.shtml)
        Date:   14/Aug/2004
      Status:   Patched version available (6.12).
 Platform(s):   Windows OSs.
      Author:   Fermín J. Serna <fjserna@...ec.com>
    Location:   http://www.ngsec.com/docs/advisories/NGSEC-2004-7.txt


Overview:
- ---------

NtRegmon is a Registry monitoring utility that will show you which applications
are accessing your Registry, which keys they are accessing, and the Registry
data that they are reading and writing - all in real-time. 

For its task NtRegmon hooks some kernel mode funtions (Registry functions) for
its logging purposes.

Regmon suffer from an unvalidated pointer referencing in some of this kernel
hooks. 

While any privileged user is using NtRegmon, any local and unauthorized user 
can crash the system.


Technical description:
- ----------------------

NtRegmon is a Registry monitoring utility that will show you which applications
are accessing your Registry, which keys they are accessing, and the Registry
data that they are reading and writing - all in real-time.


For its task NtRegmon hooks some kernel mode funtions (Registry functions) for
its logging purposes.

Regmon suffers from some unvalidated pointer referencing in some of this kernel
hooks. In example NtRegmon hooks ZwSetQueryValue declared as follows:

  NTSTATUS ZwSetQueryValue(DWORD KeyHandle, DWORD ValueName, DWORD TitleIndex,
                           DWORD Type, DWORD Data, DWORD DataSize);

The problem exists because NtRegmon does not properly check if some argument
pointers are valid or not. While any privileged user is using Regmon, any local
and unauthorized user can crash the system.

Sample exploitation cand be found:

         http://www.ngsec.com/downloads/exploits/ntregmon-dos.c


Recommendations:
- ----------------
Upgrade to NtRegmon version 6.12.

- --
More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc

Copyright(c) 2002-2004 NGSEC. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBLFeCKrwoKcQl8Y4RAjxYAKCYw9QhDRCxnJSXd2HFt9Zp/pRgYwCfQynV
/bdl2s6PNLcuP6kXn5pRSlg=
=P5Yq
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ