Bug: ISS BlackICE PC Protection Insufficient validation of arguments of NtOpenSection Vulnerability ( Ascii Version )

Search:
WLB2

ISS BlackICE PC Protection Insufficient validation of arguments of NtOpenSection Vulnerability

Published
Credit
Risk
2006.09.08
David Matousek (david matousec com)
Medium
CWE
CVE
Local
Remote
CWE-20
CVE-2006-4541
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.6/10
6.4/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

Hello,

I would like to inform you about a vulnerability in BlackICE PC Protection
driver found by Matousec - Transparent security.

Description:

Hooking SSDT functions requires extra caution. SSDT function handlers are executed in the kernel mode but their callers

are executed in the user mode. Hence all function arguments come from the user mode. This is why it is necessary to
validate these arguments properly. Otherwise a simple user call can easily crash the whole system. This bug usually
results in a system crash. However, it may happen that this bug is even more dangerous and can lead to the execution of

an arbitrary code in the privileged kernel mode.

BlackICE fails to validate the third argument of NtOpenSection. A call with invalid values in this argument can cause a

system crash because of an error in RapDrv.sys.

Vulnerable software:

* BlackICE PC Protection 3.6.cpn
* BlackICE PC Protection 3.6.cpj
* BlackICE PC Protection 3.6.cpiE
* probably all versions of BlackICE PC Protection 3.6
* possibly older versions

More details and a proof of concept including source code is available here:
http://www.matousec.com/info/advisories/BlackICE-Insufficient-validation
-of-arguments-of-NtOpenSection.php

Regards,

--
David Matousek

Founder and Chief Representative of Matousec - Transparent security
http://www.matousec.com/

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version