CommView version 6.1 (build 636) suffers from a local denial of service vulnerability.
fa3e95eb2eee13656e06e0aa498a7f95c2e01e0766d9ca539cdfabe285f444f7
|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| security@corelan.be |
| |
|-------------------------------------------------[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|------------------------------------------------------------------|
Advisory : CORELAN-10-030
Disclosure date : April 23rd, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030
0x00 : Vulnerability information
Product : CommView Network Monitor And Analyzer
Version : CommView 6.1 before Build 644
Vendor : http://www.tamos.com/
URL : http://www.tamos.com/download/main/
Type of vulnerability : Local Denial Of Service - BSOD
Risk rating : Low
Issue fixed in version : CommView 6.1 Build 644
Vulnerability discovered by : p4r4noid (T.B)
Greetings to : Corelan Security Team (http://www.corelan.be:8800/index.php/security/corelan-team-members/)
0x01 : Vendor description of software
>From the vendor website:
CommView is a powerful network monitor and analyzer designed for LAN administrators, security professionals, network programmers, home users...virtually anyone who wants a full picture of the traffic flowing through a PC or LAN segment.
Loaded with many user-friendly features, CommView combines performance and flexibility with an ease of use unmatched in the industry.
Price information
Home: $149.00
0x02 : Vulnerability details
Local Denial Of Service:
When the CommView application is installed on a host cv2k1.sys driver is loaded on the machine.
This driver allows any unprivileged user to open the device .CV2K_{GUID} and issue IOCTLs (0x00002578) with a buffering mode of METHOD_BUFFERED without any kind of validation.
The cv2k1.sys driver uses the METHOD_BUFFERED communication method when handling IOCTLs request and does not validate properly the buffer sent in the Irp object allowing local unprivileged attackers to crash an affected system, creating a denial of service condition.
Affected Device: cv2k1.sys ("DeviceCV2K_{GUID}")
Affected IOCTL: 0x00002578
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e).
Method: METHOD_BUFFERED
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f58e5c18 84b05e30 84aeeca8 8605e690 84b05ea0 cv2k1+0x1faa
f58e5c34 804e3d77 84ba5038 00002578 806ee2d0 0x84b05e30
f58e5c44 8056a9ab 84b05ea0 860cbb08 84b05e30 nt!IopfCallDriver+0x31
f58e5c58 8057d9f7 84ba5038 84b05e30 860cbb08 nt!IopSynchronousServiceTail+0x60
f58e5d00 8057fbfa 000007b8 00000000 00000000 nt!IopXxxControlFile+0x611
f58e5d34 804df06b 000007b8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f58e5d34 7c90eb94 000007b8 00000000 00000000 nt!KiFastCallEntry+0xf8
0012ff00 00000000 00000000 00000000 00000000 0x7c90eb94
IOCTL example:
InBuff: 0x80000001, InSize: 0x00000000
OutBuff: 0x80000002, OutSize: 0x00000000
0x03 : Vendor communication
18th Nov, 2009 : Vendor contacted
11th Apr, 2010 : Fixed Build Published
23rd Apr, 2010 : Public Disclosure
0x04 : Exploit/PoC
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed