Outpost防火墙文件链接绕过安全保护机制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112011 漏洞类型 设计错误
发布时间 2007-01-15 更新时间 2007-01-19
CVE编号 CVE-2007-0333 CNNVD-ID CNNVD-200701-255
漏洞平台 Windows CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/29465
https://cxsecurity.com/issue/WLB-2007010078
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-255
|漏洞详情
OutpostFirewalPro是一款小巧的网络防火墙软件,包括了广告和图片过滤、内容过滤、DNS缓存等功能。Outpost使用各种SSDT钩子保护其安装目录中的文件和目录,但在实现这种保护时无法防范恶意的应用程序调用原始APIZwSetInformationFile类FileLinkInformation,这允许攻击者在调用该函数时替换系统没有使用的文件。Outpost安装目录中的一个有漏洞文件为SandBox.sys。攻击者可以使用伪造的拷贝替换这个驱动,而在下一次重启的时候系统就会加载这个驱动。由于驱动是以特权的内核模式运行的,因此这可能导致完全的系统控制。
|漏洞EXP
source: http://www.securityfocus.com/bid/22069/info

Outpost Firewall PRO is prone to a local privilege-escalation vulnerability because it fails to perform adequate SSDT (System Service Descriptor Table) hooking on files in its installation directory.

A local attacker can exploit this issue to elevate their privileges, which can lead to the complete compromise of an affected computer.

Outpost Firewall PRO 4.0 is vulnerable; other versions may also be affected.

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/29465.zip
|参考资料

来源:BID
名称:22069
链接:http://www.securityfocus.com/bid/22069
来源:BUGTRAQ
名称:20070115OutpostBypassingSelf-ProtectionusingfilelinksVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/456973/100/0/threaded
来源:MISC
链接:http://www.matousec.com/info/advisories/Outpost-Bypassing-Self-Protection-using-file-links.php
来源:OSVDB
名称:33480
链接:http://osvdb.org/33480
来源:XF
名称:outpostfirewall-zwset-privilege-escalation(31529)
链接:http://xforce.iss.net/xforce/xfdb/31529
来源:SREASON
名称:2163
链接:http://securityreason.com/securityalert/2163