|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security@corelan.be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-030 Disclosure date : April 23rd, 2010 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030 0x00 : Vulnerability information Product : CommView Network Monitor And Analyzer Version : CommView 6.1 before Build 644 Vendor : http://www.tamos.com/ URL : http://www.tamos.com/download/main/ Type of vulnerability : Local Denial Of Service - BSOD Risk rating : Low Issue fixed in version : CommView 6.1 Build 644 Vulnerability discovered by : p4r4noid (T.B) Greetings to : Corelan Security Team (http://www.corelan.be:8800/index.php/security/corelan-team-members/) 0x01 : Vendor description of software >From the vendor website: CommView is a powerful network monitor and analyzer designed for LAN administrators, security professionals, network programmers, home users...virtually anyone who wants a full picture of the traffic flowing through a PC or LAN segment. Loaded with many user-friendly features, CommView combines performance and flexibility with an ease of use unmatched in the industry. Price information Home: $149.00 0x02 : Vulnerability details Local Denial Of Service: When the CommView application is installed on a host cv2k1.sys driver is loaded on the machine. This driver allows any unprivileged user to open the device .CV2K_{GUID} and issue IOCTLs (0x00002578) with a buffering mode of METHOD_BUFFERED without any kind of validation. The cv2k1.sys driver uses the METHOD_BUFFERED communication method when handling IOCTLs request and does not validate properly the buffer sent in the Irp object allowing local unprivileged attackers to crash an affected system, creating a denial of service condition. Affected Device: cv2k1.sys ("DeviceCV2K_{GUID}") Affected IOCTL: 0x00002578 KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e). Method: METHOD_BUFFERED STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. f58e5c18 84b05e30 84aeeca8 8605e690 84b05ea0 cv2k1+0x1faa f58e5c34 804e3d77 84ba5038 00002578 806ee2d0 0x84b05e30 f58e5c44 8056a9ab 84b05ea0 860cbb08 84b05e30 nt!IopfCallDriver+0x31 f58e5c58 8057d9f7 84ba5038 84b05e30 860cbb08 nt!IopSynchronousServiceTail+0x60 f58e5d00 8057fbfa 000007b8 00000000 00000000 nt!IopXxxControlFile+0x611 f58e5d34 804df06b 000007b8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a f58e5d34 7c90eb94 000007b8 00000000 00000000 nt!KiFastCallEntry+0xf8 0012ff00 00000000 00000000 00000000 00000000 0x7c90eb94 IOCTL example: InBuff: 0x80000001, InSize: 0x00000000 OutBuff: 0x80000002, OutSize: 0x00000000 0x03 : Vendor communication 18th Nov, 2009 : Vendor contacted 11th Apr, 2010 : Fixed Build Published 23rd Apr, 2010 : Public Disclosure 0x04 : Exploit/PoC http://www.corelan.be:8800/advisories.php?id=CORELAN-10-030 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/