TUCoPS :: Windows :: hack2238.htm

NtRegmon, local system DoS.
[NGSEC-2004-7] NtRegmon, local system denial of service.


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1







                   Next Generation Security Technologies

                          http://www.ngsec.com 

                            Security Advisory





       Title:   NtRegmon, local system denial of service.

          ID:   NGSEC-2004-7

 Application:   NtRegmon (http://www.sysinternals.com/ntw2k/source/regmon.shtml) 

        Date:   14/Aug/2004

      Status:   Patched version available (6.12).

 Platform(s):   Windows OSs.

      Author:   Fermín J. Serna  

    Location:   http://www.ngsec.com/docs/advisories/NGSEC-2004-7.txt 





Overview:

- ---------



NtRegmon is a Registry monitoring utility that will show you which applications

are accessing your Registry, which keys they are accessing, and the Registry

data that they are reading and writing - all in real-time. 



For its task NtRegmon hooks some kernel mode funtions (Registry functions) for

its logging purposes.



Regmon suffer from an unvalidated pointer referencing in some of this kernel

hooks. 



While any privileged user is using NtRegmon, any local and unauthorized user 

can crash the system.





Technical description:

- ----------------------



NtRegmon is a Registry monitoring utility that will show you which applications

are accessing your Registry, which keys they are accessing, and the Registry

data that they are reading and writing - all in real-time.





For its task NtRegmon hooks some kernel mode funtions (Registry functions) for

its logging purposes.



Regmon suffers from some unvalidated pointer referencing in some of this kernel

hooks. In example NtRegmon hooks ZwSetQueryValue declared as follows:



  NTSTATUS ZwSetQueryValue(DWORD KeyHandle, DWORD ValueName, DWORD TitleIndex,

                           DWORD Type, DWORD Data, DWORD DataSize);



The problem exists because NtRegmon does not properly check if some argument

pointers are valid or not. While any privileged user is using Regmon, any local

and unauthorized user can crash the system.



Sample exploitation cand be found:



         http://www.ngsec.com/downloads/exploits/ntregmon-dos.c 





Recommendations:

- ----------------

Upgrade to NtRegmon version 6.12.



- --

More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/ 

PGP Key: http://www.ngsec.com/pgp/labs.asc 



Copyright(c) 2002-2004 NGSEC. All rights reserved.



-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.4 (GNU/Linux)



iD8DBQFBLFeCKrwoKcQl8Y4RAjxYAKCYw9QhDRCxnJSXd2HFt9Zp/pRgYwCfQynV

/bdl2s6PNLcuP6kXn5pRSlg=

=P5Yq

-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH