lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44F7D5F8.9060706@matousec.com>
Date: Fri, 01 Sep 2006 08:40:56 +0200
From: David Matousek <david@...ousec.com>
To: bugtraq@...urityfocus.com
Subject: ISS BlackICE PC Protection Insufficient validation of arguments of
 NtOpenSection Vulnerability

Hello,

I would like to inform you about a vulnerability in BlackICE PC Protection
driver found by Matousec - Transparent security.


Description:

Hooking SSDT functions requires extra caution. SSDT function handlers are executed in the kernel mode but their callers 
are executed in the user mode. Hence all function arguments come from the user mode. This is why it is necessary to 
validate these arguments properly. Otherwise a simple user call can easily crash the whole system. This bug usually 
results in a system crash. However, it may happen that this bug is even more dangerous and can lead to the execution of 
an arbitrary code in the privileged kernel mode.

BlackICE fails to validate the third argument of NtOpenSection. A call with invalid values in this argument can cause a 
system crash because of an error in RapDrv.sys.


Vulnerable software:

     * BlackICE PC Protection 3.6.cpn
     * BlackICE PC Protection 3.6.cpj
     * BlackICE PC Protection 3.6.cpiE
     * probably all versions of BlackICE PC Protection 3.6
     * possibly older versions


More details and a proof of concept including source code is available here: 
http://www.matousec.com/info/advisories/BlackICE-Insufficient-validation-of-arguments-of-NtOpenSection.php

Regards,

-- 
David Matousek

Founder and Chief Representative of Matousec - Transparent security
http://www.matousec.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ