[NT] Compuware SoftICE Local DoS (DbgMsg Driver)
From: SecuriTeam (support_at_securiteam.com)
Date: 05/31/05
- Previous message: SecuriTeam: "[NT] Stronghold DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 31 May 2005 18:20:33 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Compuware SoftICE Local DoS (DbgMsg Driver)
------------------------------------------------------------------------
SUMMARY
Compuware's SoftICE is "a powerful system-wide debugger that supports
source level debugging of any software, driver, service, and most BIOS
code on either a single or dual machine configuration".
By crafting a special interrupt request for interrupt 2d, an attacker can
cause a denial of service to SoftICE which in turn will cause the entire
operating system to crash.
DETAILS
Vulnerable Systems:
* DriverStudio version 3.2
* DriverStudio version 3.1
On Windows NT based operating systems Debug Messages are being sent by
executing the OutputDebugString API (ring3 applications) or by executing
DbgPrint() function (also known as KdPrint(), mostly used by ring0
"applications").
However only kernel mode functions can execute the DbgPrint() function,
due to the fact that it is a function exported by NTDLL.DLL. By
disassembling the calls of the function, the out put will show that it
uses INT 2Dh.
Code Snips:
mov ecx,offset some_string ; Debug Message offset
xor edx,edx ; second Param (NULL in this case)
mov eax,1 ; Service Type here defined as
; BREAKPOINT_PRINT (=1)
int 2dh
int 3
nop <--- int 2dh returns here not to int 3
Therefore when SoftICE is installed, the driver DbgMsg.sys is loaded (user
should also notice that even when SoftICE is not active, the system is
still vulnerable because of the driver), executed 2d interrupt will be
firstly filtered by DbgMsg.sys routine (This is probably provided to give
the ability to capture Debug Messages and display them into the debugger
window).
However the driver doesn't validate the Debug Message pointer properly,
this can cause an machine to crash when the pointer is invalid.
Executing a specially crafted "int 2dh" request will cause local machine
to crash on system with DbgMsg.sys driver installed, *even* when SoftICE
is not active. This attack can be also used as a very nasty anti-debugging
trick against SoftICE users.
ADDITIONAL INFORMATION
The information has been provided by <mailto:bania.piotr@gmail.com> Piotr
Bania .
The original article can be found at:
<http://pb.specialised.info/all/adv/sice-adv.txt>
http://pb.specialised.info/all/adv/sice-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Stronghold DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
