|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Next Generation Security Technologies http://www.ngsec.com Security Advisory Title: NtRegmon, local system denial of service. ID: NGSEC-2004-7 Application: NtRegmon (http://www.sysinternals.com/ntw2k/source/regmon.shtml) Date: 14/Aug/2004 Status: Patched version available (6.12). Platform(s): Windows OSs. Author: Fermín J. SernaLocation: http://www.ngsec.com/docs/advisories/NGSEC-2004-7.txt Overview: - --------- NtRegmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. For its task NtRegmon hooks some kernel mode funtions (Registry functions) for its logging purposes. Regmon suffer from an unvalidated pointer referencing in some of this kernel hooks. While any privileged user is using NtRegmon, any local and unauthorized user can crash the system. Technical description: - ---------------------- NtRegmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. For its task NtRegmon hooks some kernel mode funtions (Registry functions) for its logging purposes. Regmon suffers from some unvalidated pointer referencing in some of this kernel hooks. In example NtRegmon hooks ZwSetQueryValue declared as follows: NTSTATUS ZwSetQueryValue(DWORD KeyHandle, DWORD ValueName, DWORD TitleIndex, DWORD Type, DWORD Data, DWORD DataSize); The problem exists because NtRegmon does not properly check if some argument pointers are valid or not. While any privileged user is using Regmon, any local and unauthorized user can crash the system. Sample exploitation cand be found: http://www.ngsec.com/downloads/exploits/ntregmon-dos.c Recommendations: - ---------------- Upgrade to NtRegmon version 6.12. - -- More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/ PGP Key: http://www.ngsec.com/pgp/labs.asc Copyright(c) 2002-2004 NGSEC. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBLFeCKrwoKcQl8Y4RAjxYAKCYw9QhDRCxnJSXd2HFt9Zp/pRgYwCfQynV /bdl2s6PNLcuP6kXn5pRSlg= =P5Yq -----END PGP SIGNATURE-----