exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CommView 6.1 Denial Of Service

CommView 6.1 Denial Of Service
Posted Apr 24, 2010
Authored by p4r4N0ID | Site corelan.be

CommView version 6.1 (build 636) suffers from a local denial of service vulnerability.

tags | advisory, denial of service, local
SHA-256 | fa3e95eb2eee13656e06e0aa498a7f95c2e01e0766d9ca539cdfabe285f444f7

CommView 6.1 Denial Of Service

Change Mirror Download

|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| security@corelan.be |
| |
|-------------------------------------------------[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|------------------------------------------------------------------|



Advisory : CORELAN-10-030
Disclosure date : April 23rd, 2010

http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030


0x00 : Vulnerability information

Product : CommView Network Monitor And Analyzer
Version : CommView 6.1 before Build 644
Vendor : http://www.tamos.com/
URL : http://www.tamos.com/download/main/
Type of vulnerability : Local Denial Of Service - BSOD
Risk rating : Low
Issue fixed in version : CommView 6.1 Build 644
Vulnerability discovered by : p4r4noid (T.B)
Greetings to : Corelan Security Team (http://www.corelan.be:8800/index.php/security/corelan-team-members/)




0x01 : Vendor description of software

>From the vendor website:

CommView is a powerful network monitor and analyzer designed for LAN administrators, security professionals, network programmers, home users...virtually anyone who wants a full picture of the traffic flowing through a PC or LAN segment.
Loaded with many user-friendly features, CommView combines performance and flexibility with an ease of use unmatched in the industry.
Price information
Home: $149.00



0x02 : Vulnerability details

Local Denial Of Service:

When the CommView application is installed on a host cv2k1.sys driver is loaded on the machine.
This driver allows any unprivileged user to open the device .CV2K_{GUID} and issue IOCTLs (0x00002578) with a buffering mode of METHOD_BUFFERED without any kind of validation.
The cv2k1.sys driver uses the METHOD_BUFFERED communication method when handling IOCTLs request and does not validate properly the buffer sent in the Irp object allowing local unprivileged attackers to crash an affected system, creating a denial of service condition.
Affected Device: cv2k1.sys ("DeviceCV2K_{GUID}")
Affected IOCTL: 0x00002578
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e).
Method: METHOD_BUFFERED
STACK_TEXT:

WARNING: Stack unwind information not available. Following frames may be wrong.
f58e5c18 84b05e30 84aeeca8 8605e690 84b05ea0 cv2k1+0x1faa
f58e5c34 804e3d77 84ba5038 00002578 806ee2d0 0x84b05e30
f58e5c44 8056a9ab 84b05ea0 860cbb08 84b05e30 nt!IopfCallDriver+0x31
f58e5c58 8057d9f7 84ba5038 84b05e30 860cbb08 nt!IopSynchronousServiceTail+0x60
f58e5d00 8057fbfa 000007b8 00000000 00000000 nt!IopXxxControlFile+0x611
f58e5d34 804df06b 000007b8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f58e5d34 7c90eb94 000007b8 00000000 00000000 nt!KiFastCallEntry+0xf8
0012ff00 00000000 00000000 00000000 00000000 0x7c90eb94

IOCTL example:

InBuff: 0x80000001, InSize: 0x00000000
OutBuff: 0x80000002, OutSize: 0x00000000



0x03 : Vendor communication

18th Nov, 2009 : Vendor contacted
11th Apr, 2010 : Fixed Build Published
23rd Apr, 2010 : Public Disclosure


0x04 : Exploit/PoC
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    4 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close