lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <C0641B79F7D6A44791BA8FA35BC143F901F9277ACD38@apollo.corelan.be>
Date: Fri, 23 Apr 2010 20:53:13 +0200
From: Security <security@...elan.be>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: [CORELAN-10-30] - CommView Network Monitor And
 Analyzer v6.1 b644 - cv2k1.sys DoS (BSOD)


|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@...elan.be |
|                                                                  | 
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|



Advisory : CORELAN-10-030
Disclosure date : April 23rd, 2010
 
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030

 
0x00 : Vulnerability information
 
 Product : CommView Network Monitor And Analyzer
 Version : CommView 6.1 before Build 644
 Vendor : http://www.tamos.com/
 URL : http://www.tamos.com/download/main/ 
 Type of vulnerability : Local Denial Of Service - BSOD
 Risk rating : Low
 Issue fixed in version : CommView 6.1 Build 644
 Vulnerability discovered by : p4r4noid (T.B)
 Greetings to : Corelan Security Team (http://www.corelan.be:8800/index.php/security/corelan-team-members/)
 



0x01 : Vendor description of software

>>From the vendor website:

CommView is a powerful network monitor and analyzer designed for LAN administrators, security professionals, network programmers, home users...virtually anyone who wants a full picture of the traffic flowing through a PC or LAN segment. 
Loaded with many user-friendly features, CommView combines performance and flexibility with an ease of use unmatched in the industry.
Price information
Home: $149.00



0x02 : Vulnerability details

Local Denial Of Service:
 
When the CommView application is installed on a host cv2k1.sys driver is loaded on the machine.
This driver allows any unprivileged user to open the device .CV2K_{GUID} and issue IOCTLs (0x00002578) with a buffering mode of METHOD_BUFFERED without any kind of validation.
The cv2k1.sys driver uses the METHOD_BUFFERED communication method when handling IOCTLs request and does not validate properly the buffer sent in the Irp object allowing local unprivileged attackers to crash an affected system, creating a denial of service condition.
Affected Device: cv2k1.sys ("DeviceCV2K_{GUID}")
Affected IOCTL: 0x00002578
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e).
Method: METHOD_BUFFERED
STACK_TEXT:  
  
        WARNING: Stack unwind information not available. Following frames may be wrong.
        f58e5c18 84b05e30 84aeeca8 8605e690 84b05ea0 cv2k1+0x1faa
        f58e5c34 804e3d77 84ba5038 00002578 806ee2d0 0x84b05e30
        f58e5c44 8056a9ab 84b05ea0 860cbb08 84b05e30 nt!IopfCallDriver+0x31
        f58e5c58 8057d9f7 84ba5038 84b05e30 860cbb08 nt!IopSynchronousServiceTail+0x60
        f58e5d00 8057fbfa 000007b8 00000000 00000000 nt!IopXxxControlFile+0x611
        f58e5d34 804df06b 000007b8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
        f58e5d34 7c90eb94 000007b8 00000000 00000000 nt!KiFastCallEntry+0xf8
        0012ff00 00000000 00000000 00000000 00000000 0x7c90eb94
        
IOCTL example:
        
        InBuff: 0x80000001,  InSize: 0x00000000
        OutBuff: 0x80000002, OutSize: 0x00000000



0x03 : Vendor communication

18th Nov, 2009 : Vendor contacted
11th Apr, 2010 : Fixed Build Published
23rd Apr, 2010 : Public Disclosure
 

0x04 : Exploit/PoC
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ