Advisory 2006-09-01.01

BlackICE Insufficient validation of arguments of NtOpenSection Vulnerability

Basic information:

Description:

Hooking SSDT functions requires extra caution. SSDT function handlers are executed in the kernel mode but their callers are executed in the user mode. Hence all function arguments come from the user mode. This is why it is necessary to validate these arguments properly. Otherwise a simple user call can easily crash the whole system. This bug usually results in a system crash. However, it may happen that this bug is even more dangerous and may lead to the execution of an arbitrary code in the privileged kernel mode.

BlackICE fails to validate the third argument of NtOpenSection. A call with invalid values in this argument can cause a system crash because of an error in RapDrv.sys.

Vulnerable software:

• BlackICE PC Protection 3.6.cpp
• BlackICE PC Protection 3.6.cpn
• BlackICE PC Protection 3.6.cpj
• BlackICE PC Protection 3.6.cpiE
• probably all versions of BlackICE PC Protection 3.6
• possibly older versions of BlackICE PC Protection
• possibly some versions of Proventia Desktop, Proventia Server or RealSecure

Events:

• 2006-09-05: Candidate for inclusion in the CVE list
• 2006-09-01: Vulnerability confirmed by popular information sources
• 2006-09-01: Advisory released
• 2006-09-01: Vendor notification

References:

• Security alert on SecurityReason
• National Vulnerability Database
• Common Vulnerabilities and Exposures
• Zone-H ITsec Advisories
• SecurityFocus Vulnerabilities
• FrSIRT Security Advisories
• Secunia Advisories
• ISS BlackICE PC Protection

valid HTML 4.01 · valid CSS 2 · optimized for you · design by martina · powered by jan · generated on May 24, 2013