exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CA HIPS kmxids.sys Remote Kernel Vulnerability

CA HIPS kmxids.sys Remote Kernel Vulnerability
Posted Aug 23, 2009
Site ivizsecurity.com

CA HIPS is a Host Based Intrusion Prevention System in which managed agents are deployed on individual hosts to be protected by the HIPS and controlled by the centralized console. It is possible to trigger faults in the kernel driver (kmxids.sys) used by the protection agent by sending certain malformed IP packets.

tags | advisory, kernel
advisories | CVE-2009-2740
SHA-256 | 23841421c5001f9dc9ee18df624a55e0b47662b59340b4152f572bc4ada45613

CA HIPS kmxids.sys Remote Kernel Vulnerability

Change Mirror Download
---------------------------------------------------------------------------------------------------

[ iViZ Security Advisory 09-005 19/08/2009 ]
---------------------------------------------------------------------------------------------------

iViZ Techno Solutions Pvt. Ltd.
http://www.ivizsecurity.com
------------------------------------------------------------------------------------------


* Title: CA HIPS kmxids.sys Remote Kernel Vulnerability
* Software: CA HIPS r8.1

--[ Synopsis:

CA HIPS is a Host Based Intrusion Prevention System in which managed
agents
are deployed on individual hosts to be protected by the HIPS and
controlled
by the centralized console.

It is possible to trigger faults in the kernel driver (kmxids.sys)
used by
the protection agent by sending certain malformed IP packets.

--[ Affected Software:

* CA HIPS r8.1 (possibly older versions too)

Tested on:

* Agent Product Version: 1.5.290
* Agent Engine Version: 1.5.286

--[ Technical description:

When CA HIPS agent processes certain malformed IP packets, it fails
to handle
certain boundary condition during parsing and pattern matching of the
packet.
It is possible to force the kernel driver (kmxids.sys) responsible for
analyzing each in/out packet to reference invalid/unmapped memory.

The following information is obtained during crash analysis:

------
CURRENT_IRQL: 2

FAULTING_IP:
kmxids+a2f4
f6b8c2f4 8a26 mov ah,byte ptr [esi]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

TRAP_FRAME: f88ca4f4 -- (.trap 0xfffffffff88ca4f4)
ErrCode = 00000000
eax=f88ca754 ebx=81f7415a ecx=00000003 edx=428c200c esi=6e96d603
edi=f6b83264
eip=f6b8c2f4 esp=f88ca568 ebp=f88ca574 iopl=0 nv up ei pl nz
na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010206
kmxids+0xa2f4:
f6b8c2f4 8a26 mov ah,byte ptr [esi]
ds:0023:6e96d603=??
Resetting default scope

LAST_CONTROL_TRANSFER: from 804f7b9d to 80527bdc

STACK_TEXT:
f88ca0a8 804f7b9d 00000003 f88ca404 00000000
nt!RtlpBreakWithStatusInstruction
f88ca0f4 804f878a 00000003 6e96d603 f6b8c2f4
nt!KiBugCheckDebugBreak+0x19
f88ca4d4 80540683 0000000a 6e96d603 00000002 nt!KeBugCheck2+0x574
f88ca4d4 f6b8c2f4 0000000a 6e96d603 00000002 nt!KiTrap0E+0x233
WARNING: Stack unwind information not available. Following frames may be
wrong.
f88ca574 f6b832e1 6e96d603 f6b83264 00000003 kmxids+0xa2f4
00000000 00000000 00000000 00000000 00000000 kmxids+0x12e1
------

The issue can be used to create a Denial of Service condition on each
of the
host protected by affected versions of CA HIPS agent, however due to the
nature of the vulnerability remote code execution is unlikely.

--[ Impact:

* Denial of Service
* Remote Code Execution is unlikely

--[ Vendor response:

* Fixed in CA Host-Based Intrusion Prevention System 8.1 CF 1


https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=214665

--[ CVE ID:

CVE-2009-2740

--[ Credits:

This vulnerability was discovered by iViZ Security Research Team
http://www.ivizsecurity.com

http://www.ivizsecurity.com/security-advisory-iviz-sr-09005.html


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close