[NT] NGSEC StackDefender 2.0 Invalid Pointer Dereference Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 08/10/04

  • Next message: SecuriTeam: "[UNIX] Linux Kernel File Offset Pointer Handling"
    To: list@securiteam.com
    Date: 10 Aug 2004 19:14:46 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      NGSEC StackDefender 2.0 Invalid Pointer Dereference Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    StackDefender is "an IPS (Intrusion Prevention System), for Win32
    platforms, that will deny shellcode from executing in User Stack and
    Writeable memory regions. StackDefender uses PAX technology for this
    purpose". A vulnerability exists because StackDefender fails to verify
    'BaseAddress' as a valid address prior dereferencing it as a pointer.

    DETAILS

    Vulnerable Systems:
     * StackDefender version 2.0

    Immune Systems:
     * StackDefender version 2.10

    StackDefender offers protection by hooking ZwAllocateVirtualMemory and
    ZwProtectVirtualMemory functions. These two kernel API's are responsible
    for allocating and protecting memory. The ZwProtectVirtualMemory function
    declaration is as follows:
       ZwProtectVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress,
          PULONG ProtectSize, ULONG NewProtect, PULONG OldProtect);

    The problem specifically exists because StackDefender fails to verify
    'BaseAddress' as a valid address prior dereferencing it as a pointer.

    Analysis:
    Successful exploitation allows remote attackers to cause the underlying
    system to crash. This is possible by specifying an invalid address for
    'BaseAddress'. Exploitation requires that an attacker has an exploitation
    vector to the system that StackDefender attempts to block.

    Vendor Fix:
    The vendor has released the following patch fixing this issue:
    <http://www.ngsec.com/downloads/stackdefender/StackDefender-2.10.exe>
    http://www.ngsec.com/downloads/stackdefender/StackDefender-2.10.exe

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0766>
    CAN-2004-0766

    Disclosure Timeline:
    07/10/2004 Vulnerability discovered by iDEFENSE
    07/12/2004 Initial vendor notification
    07/22/2004 Initial vendor response
    08/03/2004 Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=119&type=vulnerabilities&flashstatus=true> http://www.idefense.com/application/poi/display?id=119&type=vulnerabilities&flashstatus=true

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] Linux Kernel File Offset Pointer Handling"

    Relevant Pages

    • [NT] w3wp DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... 1/12/2006 - Vendor requested for additional info ... recv(conn_socket, szBuffer, 256, 0); ...
      (Securiteam)
    • [NT] Trend Micro HouseCall ActiveX Control Arbitrary Code Execution
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Trend Micro HouseCall ActiveX Control Arbitrary Code Execution ... The vulnerability is caused due to an implementation error within the ... 18/08/2008 - Vendor notified. ...
      (Securiteam)
    • [NT] Microsoft Hierarchical FlexGrid Control Integer Overflows (MS08-070)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Hierarchical FlexGrid Control Integer Overflows ... 28/08/2007 - Vendor notified. ...
      (Securiteam)
    • [NT] Adobe PageMaker PMD File Processing Buffer Overflows
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The vulnerabilities are caused due to boundary errors when processing ... The vendor will be releasing a fix for the stack-based buffer overflow ... 02/06/2008 - Vendor asks for CVE identifier. ...
      (Securiteam)
    • [NT] CA ARCserve Backup RPC "handle_t" Argument Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... CA ARCserve Backup RPC "handle_t" Argument Vulnerability ... 24/10/2007 - Vendor notified. ... 21/05/2008 - Vendor notifies expected release in October 2008. ...
      (Securiteam)