[NGSEC-2004-6] IPD, local system denial of service.

From: NGSEC (labs_at_NGSEC.COM)
Date: 08/17/04

  • Next message: Russ: "Re: Windows XP SP2 - Incompatible with NetScreen SSL-VPN"
    Date:         Tue, 17 Aug 2004 13:01:18 +0200
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                       Next Generation Security Technologies
                              http://www.ngsec.com
                                Security Advisory

           Title: IPD, local system denial of service.
              ID: NGSEC-2004-6
     Application: IPD up to 1.4 (http://www.pedestalsoftware.com/)
            Date: 14/Aug/2004
          Status: Vendor contacted on 14/Aug/2004.
     Platform(s): Windows OSs.
          Author: Fermín J. Serna <fjserna@ngsec.com>
        Location: http://www.ngsec.com/docs/advisories/NGSEC-2004-6.txt

    Overview:
    - ---------

    The IPD (Integrity protection driver) is an Open Source device driver
    designed to prohibit the installation of new services and drivers and
    to protect existing driver from tampering. It installs on Windows NT
    and Windows 2000 computers.

    In its security approach IPD hooks some kernel mode funtions and filters
    them allowing or not their original purposes based on IPD's security
    policy.

    IPD suffers from an unvalidated pointer referencing in some of this kernel
    hooks.

    Technical description:
    - ----------------------

    The IPD (Integrity protection driver) is an Open Source device driver
    designed to prohibit the installation of new services and drivers and
    to protect existing driver from tampering. It installs on Windows NT
    and Windows 2000 computers.

    IPD is available for download at:

             http://www.pedestalsoftware.com/download/ipd.zip

    In its security approach IPD hooks some kernel mode funtions and filters
    them allowing or not their original purposes based on IPD's securit
    policy.

    IPD suffers from some unvalidated pointer referencing in some of this kernel
    hooks. In example IPD hooks ZwOpenSection declared as follows:

            NTSTATUS ZwOpenSection(HANDLE Handle, DWORD mask, DWORD oa);

    The problem exists because IPD does not properly check wether "oa" pointer
    is valid or not. Any local and unauthorized user can crash the system with
    some simple coding skills.

    Sample exploitation cand be found:

             http://www.ngsec.com/downloads/exploits/ipd-dos.c

    Recommendations:
    - ----------------
    Since the vendor has discontinued the development and support of IPD,
    NGSEC recomends to uninstall IPD or perform a deep source security audit
    before re-enabling it.

    - --
    More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
    PGP Key: http://www.ngsec.com/pgp/labs.asc

    Copyright(c) 2002-2004 NGSEC. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFBIeBaKrwoKcQl8Y4RAja+AJ9AAcQ+kbSlzihym+HNYA3Eje0oigCfSuKH
    8Y5J6HnjXR1bYOBbCL1Jn9A=
    =+YTS
    -----END PGP SIGNATURE-----

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: Russ: "Re: Windows XP SP2 - Incompatible with NetScreen SSL-VPN"