Full Disclosure mailing list archives
[CORELAN-10-30] - CommView Network Monitor And Analyzer v6.1 b644 - cv2k1.sys DoS (BSOD)
From: Security <security () corelan be>
Date: Fri, 23 Apr 2010 20:53:13 +0200
|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security () corelan be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-030 Disclosure date : April 23rd, 2010 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030 0x00 : Vulnerability information Product : CommView Network Monitor And Analyzer Version : CommView 6.1 before Build 644 Vendor : http://www.tamos.com/ URL : http://www.tamos.com/download/main/ Type of vulnerability : Local Denial Of Service - BSOD Risk rating : Low Issue fixed in version : CommView 6.1 Build 644 Vulnerability discovered by : p4r4noid (T.B) Greetings to : Corelan Security Team (http://www.corelan.be:8800/index.php/security/corelan-team-members/) 0x01 : Vendor description of software
From the vendor website:
CommView is a powerful network monitor and analyzer designed for LAN administrators, security professionals, network
programmers, home users...virtually anyone who wants a full picture of the traffic flowing through a PC or LAN segment.
Loaded with many user-friendly features, CommView combines performance and flexibility with an ease of use unmatched in
the industry.
Price information
Home: $149.00
0x02 : Vulnerability details
Local Denial Of Service:
When the CommView application is installed on a host cv2k1.sys driver is loaded on the machine.
This driver allows any unprivileged user to open the device .CV2K_{GUID} and issue IOCTLs (0x00002578) with a buffering
mode of METHOD_BUFFERED without any kind of validation.
The cv2k1.sys driver uses the METHOD_BUFFERED communication method when handling IOCTLs request and does not validate
properly the buffer sent in the Irp object allowing local unprivileged attackers to crash an affected system, creating
a denial of service condition.
Affected Device: cv2k1.sys ("DeviceCV2K_{GUID}")
Affected IOCTL: 0x00002578
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e).
Method: METHOD_BUFFERED
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f58e5c18 84b05e30 84aeeca8 8605e690 84b05ea0 cv2k1+0x1faa
f58e5c34 804e3d77 84ba5038 00002578 806ee2d0 0x84b05e30
f58e5c44 8056a9ab 84b05ea0 860cbb08 84b05e30 nt!IopfCallDriver+0x31
f58e5c58 8057d9f7 84ba5038 84b05e30 860cbb08 nt!IopSynchronousServiceTail+0x60
f58e5d00 8057fbfa 000007b8 00000000 00000000 nt!IopXxxControlFile+0x611
f58e5d34 804df06b 000007b8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f58e5d34 7c90eb94 000007b8 00000000 00000000 nt!KiFastCallEntry+0xf8
0012ff00 00000000 00000000 00000000 00000000 0x7c90eb94
IOCTL example:
InBuff: 0x80000001, InSize: 0x00000000
OutBuff: 0x80000002, OutSize: 0x00000000
0x03 : Vendor communication
18th Nov, 2009 : Vendor contacted
11th Apr, 2010 : Fixed Build Published
23rd Apr, 2010 : Public Disclosure
0x04 : Exploit/PoC
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [CORELAN-10-30] - CommView Network Monitor And Analyzer v6.1 b644 - cv2k1.sys DoS (BSOD) Security (Apr 23)