[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] [CORELAN-10-30] - CommView Network Monitor And Analyzer v6.1 b644 - cv2k1.sys DoS (BSOD)
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] [CORELAN-10-30] - CommView Network Monitor And Analyzer v6.1 b644 - cv2k1.sys DoS (BSOD)
- From: Security <security@xxxxxxxxxx>
- Date: Fri, 23 Apr 2010 20:53:13 +0200
|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| security@xxxxxxxxxx |
| |
|-------------------------------------------------[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|------------------------------------------------------------------|
Advisory : CORELAN-10-030
Disclosure date : April 23rd, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030
0x00 : Vulnerability information
Product : CommView Network Monitor And Analyzer
Version : CommView 6.1 before Build 644
Vendor : http://www.tamos.com/
URL : http://www.tamos.com/download/main/
Type of vulnerability : Local Denial Of Service - BSOD
Risk rating : Low
Issue fixed in version : CommView 6.1 Build 644
Vulnerability discovered by : p4r4noid (T.B)
Greetings to : Corelan Security Team
(http://www.corelan.be:8800/index.php/security/corelan-team-members/)
0x01 : Vendor description of software
>From the vendor website:
CommView is a powerful network monitor and analyzer designed for LAN
administrators, security professionals, network programmers, home
users...virtually anyone who wants a full picture of the traffic flowing
through a PC or LAN segment.
Loaded with many user-friendly features, CommView combines performance and
flexibility with an ease of use unmatched in the industry.
Price information
Home: $149.00
0x02 : Vulnerability details
Local Denial Of Service:
When the CommView application is installed on a host cv2k1.sys driver is loaded
on the machine.
This driver allows any unprivileged user to open the device .CV2K_{GUID} and
issue IOCTLs (0x00002578) with a buffering mode of METHOD_BUFFERED without any
kind of validation.
The cv2k1.sys driver uses the METHOD_BUFFERED communication method when
handling IOCTLs request and does not validate properly the buffer sent in the
Irp object allowing local unprivileged attackers to crash an affected system,
creating a denial of service condition.
Affected Device: cv2k1.sys ("DeviceCV2K_{GUID}")
Affected IOCTL: 0x00002578
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e).
Method: METHOD_BUFFERED
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may
be wrong.
f58e5c18 84b05e30 84aeeca8 8605e690 84b05ea0 cv2k1+0x1faa
f58e5c34 804e3d77 84ba5038 00002578 806ee2d0 0x84b05e30
f58e5c44 8056a9ab 84b05ea0 860cbb08 84b05e30 nt!IopfCallDriver+0x31
f58e5c58 8057d9f7 84ba5038 84b05e30 860cbb08
nt!IopSynchronousServiceTail+0x60
f58e5d00 8057fbfa 000007b8 00000000 00000000 nt!IopXxxControlFile+0x611
f58e5d34 804df06b 000007b8 00000000 00000000
nt!NtDeviceIoControlFile+0x2a
f58e5d34 7c90eb94 000007b8 00000000 00000000 nt!KiFastCallEntry+0xf8
0012ff00 00000000 00000000 00000000 00000000 0x7c90eb94
IOCTL example:
InBuff: 0x80000001, InSize: 0x00000000
OutBuff: 0x80000002, OutSize: 0x00000000
0x03 : Vendor communication
18th Nov, 2009 : Vendor contacted
11th Apr, 2010 : Fixed Build Published
23rd Apr, 2010 : Public Disclosure
0x04 : Exploit/PoC
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/