Sunbelt Kerio个人防火墙fwdrv.sys和khips.sys驱动错误拒绝服务攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193303 漏洞类型 输入验证
发布时间 2006-10-02 更新时间 2007-09-18
CVE编号 CVE-2006-5153 CNNVD-ID CNNVD-200610-055
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/20299
https://cxsecurity.com/issue/WLB-2006100051
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-055
|漏洞详情
SunbeltKerio个人防火墙是一个简单的基于规则设置的防火墙安全防护软件。SunbeltKerio个人防火墙hook了SSDT中的很多函数,其中至少有6种情况可能没有验证用户模式的参数。由于fwdrv.sys和khips.sys驱动中的错误,如果使用无效参数值调用了NtCreateFile、NtDeleteFile、NtLoadDriver、NtMapViewOfSection、NtOpenFile或NtSetInformationFile的话,就会导致系统崩溃。
|漏洞EXP
Hello,

I would like to inform you about a vulnerability in Sunbelt Kerio Personal Firewall.

Description:

Sunbelt Kerio Personal Firewall hooks many functions in SSDT and in at least six cases it fails to validate arguments 
that come from user mode. User calls to NtCreateFile, NtDeleteFile, NtLoadDriver, NtMapViewOfSection, NtOpenFile, 
NtSetInformationFile with invalid argument values can cause system crashes because of errors in Kerio drivers fwdrv.sys 
and khips.sys. Further impacts of this bug (like arbitrary code execution in the kernel mode) were not examined.

Vulnerable software:

* Sunbelt Kerio Personal Firewall 4.3.268
     * Sunbelt Kerio Personal Firewall 4.3.246
     * Sunbelt Kerio Personal Firewall 4.2.3.912
     * probably all versions of Sunbelt Kerio Personal Firewall 4
     * possibly older versions of Sunbelt Kerio Personal Firewall

More details and a proof of concept including source code is available here: 
http://www.matousec.com/info/advisories/Kerio-Multiple-insufficient-argu
ment-validation-of-hooked-SSDT-functions.php

Regards,

-- 
David Matousek

Founder and Chief Representative of Matousec - Transparent security
http://www.matousec.com/
|受影响的产品
Kerio Personal Firewall 4.3.268 Kerio Personal Firewall 4.3.246 Kerio Personal Firewall 4.2.3 .912
|参考资料

来源:BID
名称:20299
链接:http://www.securityfocus.com/bid/20299
来源:BUGTRAQ
名称:20061001KerioMultipleinsufficientargumentvalidationofhookedSSDTfunctionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/447504/100/0/threaded
来源:MISC
链接:http://www.matousec.com/info/advisories/Kerio-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php
来源:SECUNIA
名称:22234
链接:http://secunia.com/advisories/22234
来源:XF
名称:kerio-drivers-dos(29313)
链接:http://xforce.iss.net/xforce/xfdb/29313
来源:VUPEN
名称:ADV-2006-3872
链接:http://www.frsirt.com/english/advisories/2006/3872
来源:SECTRACK
名称:1016967
链接:http://securitytracker.com/id?1016967
来源:SREASON
名称:1685
链接:http://securityreason.com/securityalert/1685