[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [IVIZ-09-005] CA HIPS Remote Kernel Vulnerability



---------------------------------------------------------------------------------------------------
 

[ iViZ Security Advisory 09-005                            19/08/2009 ]
---------------------------------------------------------------------------------------------------
 

iViZ Techno Solutions Pvt. Ltd.  
                                            http://www.ivizsecurity.com
------------------------------------------------------------------------------------------
 

 
   * Title:         CA HIPS kmxids.sys Remote Kernel Vulnerability
   * Software:  CA HIPS r8.1
 
--[ Synopsis:
 
   CA HIPS is a Host Based Intrusion Prevention System in which managed 
agents  
   are deployed on individual hosts to be protected by the HIPS and 
controlled  
   by the centralized console.
 
   It is possible to trigger faults in the kernel driver (kmxids.sys) 
used by
   the protection agent by sending certain malformed IP packets.
 
--[ Affected Software:
 
   * CA HIPS r8.1 (possibly older versions too)
 
 Tested on:
    
   * Agent Product Version: 1.5.290
   * Agent Engine  Version: 1.5.286
 
--[ Technical description:
 
   When CA HIPS agent processes certain malformed IP packets, it fails 
to handle
   certain boundary condition during parsing and pattern matching of the 
packet.
   It is possible to force the kernel driver (kmxids.sys) responsible for
   analyzing each in/out packet to reference invalid/unmapped memory.
 
   The following information is obtained during crash analysis:
 
   ------
   CURRENT_IRQL:  2
 
   FAULTING_IP:
   kmxids+a2f4
   f6b8c2f4 8a26            mov     ah,byte ptr [esi]
 
   DEFAULT_BUCKET_ID:  DRIVER_FAULT
 
   BUGCHECK_STR:  0xD1
 
   TRAP_FRAME:  f88ca4f4 -- (.trap 0xfffffffff88ca4f4)
   ErrCode = 00000000
   eax=f88ca754 ebx=81f7415a ecx=00000003 edx=428c200c esi=6e96d603 
edi=f6b83264
   eip=f6b8c2f4 esp=f88ca568 ebp=f88ca574 iopl=0         nv up ei pl nz 
na pe nc
   cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             
efl=00010206
   kmxids+0xa2f4:
   f6b8c2f4 8a26            mov     ah,byte ptr [esi]
   ds:0023:6e96d603=??
   Resetting default scope
 
   LAST_CONTROL_TRANSFER:  from 804f7b9d to 80527bdc
 
   STACK_TEXT:
   f88ca0a8 804f7b9d 00000003 f88ca404 00000000
   nt!RtlpBreakWithStatusInstruction
   f88ca0f4 804f878a 00000003 6e96d603 f6b8c2f4 
nt!KiBugCheckDebugBreak+0x19
   f88ca4d4 80540683 0000000a 6e96d603 00000002 nt!KeBugCheck2+0x574
   f88ca4d4 f6b8c2f4 0000000a 6e96d603 00000002 nt!KiTrap0E+0x233
   WARNING: Stack unwind information not available. Following frames may be
   wrong.
   f88ca574 f6b832e1 6e96d603 f6b83264 00000003 kmxids+0xa2f4
   00000000 00000000 00000000 00000000 00000000 kmxids+0x12e1
   ------
 
   The issue can be used to create a Denial of Service condition on each 
of the
   host protected by affected versions of CA HIPS agent, however due to the
   nature of the vulnerability remote code execution is unlikely.
 
--[ Impact:
 
   * Denial of Service
   * Remote Code Execution is unlikely  
     
--[ Vendor response:
 
   * Fixed in CA Host-Based Intrusion Prevention System 8.1 CF 1
 
   
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=214665
 
--[ CVE ID:
 
   CVE-2009-2740
 
--[ Credits:
 
   This vulnerability was discovered by iViZ Security Research Team
   http://www.ivizsecurity.com
 
   http://www.ivizsecurity.com/security-advisory-iviz-sr-09005.html
     
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/