ISS BlackICE PC Protection Insufficient validation of arguments of NtOpenSection Vulnerability

2006.09.08
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-20


Ogólna skala CVSS: 4.6/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 3.9/10
Wymagany dostęp: Lokalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

Hello, I would like to inform you about a vulnerability in BlackICE PC Protection driver found by Matousec - Transparent security. Description: Hooking SSDT functions requires extra caution. SSDT function handlers are executed in the kernel mode but their callers are executed in the user mode. Hence all function arguments come from the user mode. This is why it is necessary to validate these arguments properly. Otherwise a simple user call can easily crash the whole system. This bug usually results in a system crash. However, it may happen that this bug is even more dangerous and can lead to the execution of an arbitrary code in the privileged kernel mode. BlackICE fails to validate the third argument of NtOpenSection. A call with invalid values in this argument can cause a system crash because of an error in RapDrv.sys. Vulnerable software: * BlackICE PC Protection 3.6.cpn * BlackICE PC Protection 3.6.cpj * BlackICE PC Protection 3.6.cpiE * probably all versions of BlackICE PC Protection 3.6 * possibly older versions More details and a proof of concept including source code is available here: http://www.matousec.com/info/advisories/BlackICE-Insufficient-validation -of-arguments-of-NtOpenSection.php Regards, -- David Matousek Founder and Chief Representative of Matousec - Transparent security http://www.matousec.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top