Advertisement
Home arrow ITsec Advisories arrow BlackICE Insufficient validation of arguments of NtOpenSection Vulnerability
Saturday, 22 November 2008
  
 
Last week attacks
O.S.  Defs.  %
Linux  8778  71.58%
Win 2003  1950  15.90%
Win 2000  722  5.89%
Solaris 9/10  402  3.28%
FreeBSD  226  1.84%
Other  185  1.51%

Total attacks: 12263 of which 4619 single ip and 7644 mass defacements

Main Menu
Home
Digital Warfare
Geopolitics
ITsec News
ITsec Advisories
Test Drive
360°
Digital Attacks Archive
Zone-H events
Publications
Zone-H Friends/Partners
Contact Us
Search
Download Area
Zone-H forum
About this website
Login Form





Lost Password?
No account yet? Register
Visitors' Map
BlackICE Insufficient validation of arguments of NtOpenSection Vulnerability PDF Print E-mail
User Rating: / 0
PoorBest 
Written by Marcelo Almeida (Vympel)   
Friday, 01 September 2006

Release date: September 01, 2006
Last update: September 01, 2006
Type: Implementation bugs
Character: System crash
Status: Unpatched bugs
Risk: Serious bugs
Exploitability: Locally exploitable bugs
Discoverability: Medium discoverable bugs
Testing program: BTP00000P003BI.zip
Description:
Hooking SSDT functions requires extra caution...

SSDT function handlers are executed in the kernel mode but their callers are executed in the user mode. Hence all function arguments come from the user mode. This is why it is necessary to validate these arguments properly. Otherwise a simple user call can easily crash the whole system. This bug usually results in a system crash. However, it may happen that this bug is even more dangerous and can lead to the execution of an arbitrary code in the privileged kernel mode.

BlackICE fails to validate the third argument of NtOpenSection. A call with invalid values in this argument can cause a system crash because of an error in RapDrv.sys.

Vulnerable software:

  • BlackICE PC Protection 3.6.cpn
  • BlackICE PC Protection 3.6.cpj
  • BlackICE PC Protection 3.6.cpiE
  • probably all versions of BlackICE PC Protection 3.6
  • possibly older versions

 

 

 

Events:

  • 2006-09-01: Advisory released
  • 2006-09-01: Vendor notification




References:

 


Original article


Comments Index (Total Messages: 0)


Post Reply
Name:Guest
Title:
Comment:



Enter this security word

Powered by a Zone-H(ified) version of AkoComment 3.0!


DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The   author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice.
 
< Prev   Next >
[ Back ]
 
Top!
© 2008 Zone-H.org - Unrestricted Information
Joomla! is Free Software released under the GNU/GPL License.
 Top!