-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Next Generation Security Technologies http://www.ngsec.com Security Advisory Title: IPD, local system denial of service. ID: NGSEC-2004-6 Application: IPD up to 1.4 (http://www.pedestalsoftware.com/) Date: 14/Aug/2004 Status: Vendor contacted on 14/Aug/2004. Platform(s): Windows OSs. Author: Fermín J. Serna Location: http://www.ngsec.com/docs/advisories/NGSEC-2004-6.txt Overview: - --------- The IPD (Integrity protection driver) is an Open Source device driver designed to prohibit the installation of new services and drivers and to protect existing driver from tampering. It installs on Windows NT and Windows 2000 computers. In its security approach IPD hooks some kernel mode funtions and filters them allowing or not their original purposes based on IPD's security policy. IPD suffers from an unvalidated pointer referencing in some of this kernel hooks. Technical description: - ---------------------- The IPD (Integrity protection driver) is an Open Source device driver designed to prohibit the installation of new services and drivers and to protect existing driver from tampering. It installs on Windows NT and Windows 2000 computers. IPD is available for download at: http://www.pedestalsoftware.com/download/ipd.zip In its security approach IPD hooks some kernel mode funtions and filters them allowing or not their original purposes based on IPD's securit policy. IPD suffers from some unvalidated pointer referencing in some of this kernel hooks. In example IPD hooks ZwOpenSection declared as follows: NTSTATUS ZwOpenSection(HANDLE Handle, DWORD mask, DWORD oa); The problem exists because IPD does not properly check wether "oa" pointer is valid or not. Any local and unauthorized user can crash the system with some simple coding skills. Sample exploitation cand be found: http://www.ngsec.com/downloads/exploits/ipd-dos.c Recommendations: - ---------------- Since the vendor has discontinued the development and support of IPD, NGSEC recomends to uninstall IPD or perform a deep source security audit before re-enabling it. - -- More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/ PGP Key: http://www.ngsec.com/pgp/labs.asc Copyright(c) 2002-2004 NGSEC. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBIeBaKrwoKcQl8Y4RAja+AJ9AAcQ+kbSlzihym+HNYA3Eje0oigCfSuKH 8Y5J6HnjXR1bYOBbCL1Jn9A= =+YTS -----END PGP SIGNATURE-----