cvelistv5 - cve-2008-1736

CVE-2008-1736 (GCVE-0-2008-1736)

Vulnerability from cvelistv5 – Published: 2008-04-29 23:00 – Updated: 2024-08-07 08:32

Summary

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

VAR-200804-0396

Vulnerability from variot - Updated: 2023-12-18 13:10

Comodo Firewall Pro before 3.0 does not properly validate certain parameters to hooked System Service Descriptor Table (SSDT) functions, which allows local users to cause a denial of service (system crash) via (1) a crafted OBJECT_ATTRIBUTES structure in a call to the NtDeleteFile function, which leads to improper validation of a ZwQueryObject result; and unspecified calls to the (2) NtCreateFile and (3) NtSetThreadContext functions, different vectors than CVE-2007-0709. This vulnerability CVE-2007-0709 Is a different vulnerability.Service disruption by local users via: ( System crash ) There is a possibility of being put into a state. (1) NtDeleteFile Crafted in a call to a function OBJECT_ATTRIBUTES Through the structure ZwQueryObject Trigger improper validation of results (2) NtCreateFile Call to function (3) NtSetThreadContext Call to function. Comodo Firewall Pro is prone to multiple local vulnerabilities. Attackers might also be able to gain elevated privileges by executing arbitrary machine code in the context of the kernel, but this has not been confirmed. Comodo Firewall Pro 2.4.18.184 is vulnerable; other versions may also be affected. The NtDeleteFile, NtCreateFile, and NtSetThreadContext functions of the Comodo firewall do not validate parameters correctly. … . ----------------------------------------------------------------------

Secunia Network Software Inspector 2.0 (NSI) - Public Beta

The Public Beta has ended. Thanks to all that participated. These can be exploited to cause a DoS by calling the affected functions with specially crafted arguments.

The vulnerabilities are reported in version 2.4.18.184.

SOLUTION: Upgrade to version 3.0.

Subscribe: http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/

Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.

Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

  Core Security Technologies - CoreLabs Advisory
       http://www.coresecurity.com/corelabs/

Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls

Advisory Information

Title: Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls Advisory ID: CORE-2008-0320 Advisory URL: http://www.coresecurity.com/?action=item&id=2249 Date published: 2008-04-28 Date of last update: 2008-04-28 Vendors contacted: BitDefender, Comodo, Sophos and Rising Release mode: Coordinated release (BitDefender, Comodo, Rising), User release (Sophos)

Vulnerability Information

Class: Invalid memory reference Remotely Exploitable: No Locally Exploitable: Yes Bugtraq ID: 28741, 28742, 28743, 28744
CVE Name: CVE-2008-1735, CVE-2008-1736, CVE-2008-1737, CVE-2008-1738

Vulnerability Description

Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls (BitDefender Antivirus [1], Comodo Firewall [2], Sophos Antivirus [3] and Rising Antivirus [4]) have been found that could lead to a Denial of Service (DoS) and possibly to code execution attacks. An attacker, utilizing these flaws, could be able to locally reboot the whole system shutting down the firewall or anti-virus protection.

Vulnerable Packages

. BitDefender Antivirus 2008 Build 11.0.11 . Sophos Antivirus 7.0.5 . Rising Antivirus 19.60.0.0 and 19.66.0.0 . Older versions may be affected, but were not checked.

Non-vulnerable Packages

. BitDefender Antivirus 2008 builds available through automatic updates, posterior to January 18th. Rising Antivirus 20.38.20

Vendor Information, Solutions and Workarounds

1) BITDEFENDER ANTIVIRUS (BID 28741, CVE-2008-1735)

According to BitDefender, the flaw was not exploited by any malicious application, and it was corrected through automatic updates. Information on this issue can be found on BitDefender website at this location: http://kb.bitdefender.com/KB419-en--Security-vulnerability-in-BitDefender-2008.html.

Non-vulnerable products from Sophos are earlier versions of Sophos Anti-Virus for Windows, Sophos Anti-Virus for non-Windows platforms and all other Sophos products.

The vulnerability is only exploitable if Runtime Behavioural Analysis is switched on. Even then the exploit will only be effective if the end user is using security settings that are lower than the defaults for most web browsers today, or if the end user agrees to activate an ActiveX or Java Applet from the webpage hosting the exploit.

Workarounds to avoid this vulnerability include:

a. Using the default security settings or higher on the latest version of your chosen web browser. In line with general security best practice we would also encourage end users not to download ActiveX or Java Applets unless confident about their content.

b. Turning off the Runtime Behavioural Analysis functionality within Sophos Anti-Virus (customers will still benefit from Sophos Behavioural Genotype protection and other means of protecting endpoints against malware).

N.B. Should an exploit be released into the wild, Sophos will deploy protection against that exploit.

The fix for this vulnerability requires customers to reboot their endpoints. Given the low severity of the vulnerability, to minimise disruption to our customers Sophos will release the fix at the earliest opportunity that coincides with a necessary reboot of the product."

4) RISING ANTIVIRUS (BID 28744, CVE-2008-1738)

A fixed version of Rising Antivirus can be downloaded from: http://rsdownload.rising.com.cn/for_down/rsfree/ravolusrfree.exe

All Rising customers can also update up to a patched version through automatic updates.

Credits

These vulnerabilities (except the Rising one) were discovered by Damian Saura, Anibal Sacco, Dario Menichelli, Norberto Kueffner, Andres Blanco y Rodrigo Carvalho from Core Security Technologies, during Bugweek 2007. The Rising vulnerability was discovered by Anibal Sacco from Core Security Technologies exploit writers team.

These vulnerabilities were researched by Anibal Sacco and Damian Saura from Core Security Technologies.

Technical Description / Proof of Concept Code

We have found that BitDefender Antivirus, Rising Antivirus, Comodo Firewall and Sophos Antivirus have hooks that do not properly validate the arguments of the hooked functions before accessing them, and lead to the program trying to reference some invalid memory, leading in some scenarios to a BSOD (Blue Screen of Death).

In our tests we used the kernel hooks probing tool BSODhook [5] in order to find any kind of insufficient argument validation of hooked SSDT functions. From Matousec paper [6]:

"Hooking kernel functions by modifying the System Service Descriptor Table (SSDT) is a very popular method of implementation of additional security features and is used frequently by personal firewalls and other security and low-level software. Although undocumented and despised by Microsoft, this technique can be implemented in a correct and stable way. However, many software vendors do not follow the rules and recommendations for kernel-mode code writing and many drivers that implement SSDT hooking do not properly validate the parameters of the hooking functions."

"Hooking SSDT functions requires extra caution. SSDT function handlers are executed in the kernel mode but their callers are executed in the user mode. Hence all function arguments come from the user mode. This is why it is necessary to validate these arguments properly. Otherwise a simple user call can easily crash the whole system. This bug usually results in a system crash. However, it may happen that this bug is even more dangerous and may lead to the execution of an arbitrary code in the privileged kernel mode."

A local DoS attack, despite not being a very sophisticated intrusion attack, could be used as an accessory under several scenarios. It is commonly used by viruses as added feature, when the specific AV is detected on the infected machine, crashing the system just to annoy. Or by a human attacker, after a succesful remote intrusion with unprivileged credentials to make a computer resource unavailable to its intended users. Besides, this could be a very valuable resource when trying to fake some service that answers broadcasts request like a DHCP, allowing to start the service in another location replacing the original one.

1) BITDEFENDER ANTIVIRUS (BID 28741, CVE-2008-1735)

BitDefender fails to validate the pointer to the 'CLIENT_ID' structure provided to 'NtOpenProcess'. So, if we pass an invalid pointer, we will crash the whole system.

/----------- NtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId )

.text:00010ADE push 0Ch .text:00010AE0 push offset stru_114E8 .text:00010AE5 call __SEH_prolog .text:00010AEA call KeGetCurrentThread .text:00010AEF xor ebx, ebx .text:00010AF1 cmp [eax+140h], bl .text:00010AF7 jz short loc_10B0D .text:00010AF9 call PsGetCurrentProcessId .text:00010AFE call PsGetCurrentProcessId .text:00010B03 push eax .text:00010B04 call sub_10724 .text:00010B09 test eax, eax .text:00010B0B jnz short loc_10B12 .text:00010B0D .text:00010B0D loc_10B0D: ; CODE XREF: sub_10ADE+19_j .text:00010B0D push [ebp+ClientId] .text:00010B10 jmp short loc_10B73 .text:00010B12 ; -

.text:00010B12 .text:00010B12 loc_10B12: ; CODE XREF: sub_10ADE+2D_j .text:00010B12 mov edi, [ebp+ClientId] .text:00010B15 cmp edi, ebx ; Little check to avoid a Null Pointer - -----------/

Here it gets the pointer to the 'ClientId' value, and if it is non zero ('!= 0') it does not care where it is pointing to.

/----------- .text:00010B17 jnz short loc_10B1C .text:00010B19 push ebx .text:00010B1A jmp short loc_10B73 .text:00010B1C ; -

.text:00010B1C .text:00010B1C loc_10B1C: ; CODE XREF: sub_10ADE+39_j .text:00010B1C mov [ebp+ms_exc.disabled], ebx .text:00010B1F mov esi, [edi] ; Here it crashes - -----------/

It access to that memory, and if that is invalid memory the system will crash.

/----------- .text:00010B21 mov [ebp+var_1C], esi .text:00010B24 or [ebp+ms_exc.disabled], 0FFFFFFFFh .text:00010B28 jmp short loc_10B3B .text:00010B28 sub_10ADE endp - -----------/

2) COMODO FIREWALL PRO (BID 28742, CVE-2008-1736)

In Comodo there are problems in the arguments validation of 'NtDeleteFile', 'NtCreateFile' and 'NtSetThreadContext' functions. 'NtDeleteFile' receives just one parameter, a pointer to an 'OBJECT_ATTRIBUTES' structure. These attributes would include the 'ObjectName' and the 'SECURITY_DESCRIPTOR', for example. This is the hook placed by Comodo at 'NtDeleteFile'.

/----------- NTDeleteFile (POBJECT_ATTRIBUTES ObjectAttributes)

.text:0001ACB0 push 1Ch .text:0001ACB2 push offset stru_1E3F0 .text:0001ACB7 call __SEH_prolog .text:0001ACBC xor ebx, ebx .text:0001ACBE inc ebx .text:0001ACBF mov [ebp+var_1C], ebx .text:0001ACC2 xor esi, esi .text:0001ACC4 mov [ebp+var_24], esi .text:0001ACC7 mov [ebp+var_20], ebx .text:0001ACCA mov [ebp+var_28], esi .text:0001ACCD mov [ebp+ms_exc.disabled], esi .text:0001ACD0 call ds:ExGetPreviousMode .text:0001ACD6 mov edi, [ebp+ObjectAttributes] - -----------/

Here it does a lot of 'ProbeForRead' checks to see if the pointers of the structure are valid. Nice! ('EDI' still has a pointer to the 'OBJECT_ATTRIBUTES' structure)

/----------- ....

sub_1A692 .text:0001A692 push 28h .text:0001A694 push offset stru_1E3C0 .text:0001A699 call __SEH_prolog .text:0001A69E xor edi, edi .... .text:0001A6B3 mov [ebp+ms_exc.disabled], edi .text:0001A6B6 push 72747052h ; Tag .text:0001A6BB mov ebx, 400h .text:0001A6C0 push ebx ; NumberOfBytes .text:0001A6C1 push 1 ; PoolType .text:0001A6C3 call ds:ExAllocatePoolWithTag ; Allocates memory to hold the data retrieved by ZwQueryObject .text:0001A6C9 mov esi, eax .text:0001A6CB mov [ebp+var_28], esi .text:0001A6CE cmp esi, edi .text:0001A6D0 jz short loc_1A74F

.text:0001A6D2 mov edi, [ebp+ObjectAttributes] .text:0001A6D5 mov eax, [edi+OBJECT_ATTRIBUTES.RootDirectory] ; Here, the code retrieves the RootDirectory's field value from the structure, controled by us. .text:0001A6D8 test eax, eax .text:0001A6DA jz short loc_1A71B

.text:0001A6DC push 0 ; ReturnLength .text:0001A6DE push ebx ; ObjectInformationLength .text:0001A6DF push esi ; ObjectInformation ; buffer where ZwQueryObject will put the object information

.text:0001A6E0 push 1 ; ObjectInformationClass ; Specifies an OBJECT_INFORMATION_CLASS value that determines the type ; of information returned in the ObjectInformation buffer. It's using ; an undocumented type (OBJECT_NAME_INFORMATION) which returns an UNICODE_STRING structure .text:0001A6E2 push eax ; ObjectHandle ; Now, the user-controlled handle 'll be used here to identify the object by ZwQueryObject, .text:0001A6E3 call ds:ZwQueryObject .text:0001A6E9 mov [ebp+var_20], eax .text:0001A6EC test eax, eax .text:0001A6EE jl short loc_1A746 - -----------/

Here is where the problem shows up. The code does not properly validates the data retrieved by 'ZwQueryObject', expecting an 'UNICODE_STRING' structure. But it is possible to make multiple calls to the function using different handlers to obtain a null structure crashing the system when the code tries to dereference its 'Buffer' field.

/----------- .text:0001A6F0 movzx eax, [esi+UNICODE_STRING.Length] .text:0001A6F3 shr eax, 1 .text:0001A6F5 mov ecx, [esi+UNICODE_STRING.Buffer] .text:0001A6F8 movzx eax, word ptr [ecx+eax*2-2] ; Here is the problem .text:0001A6FD mov [ebp+var_30], eax .text:0001A700 cmp ax, 5Ch .text:0001A704 jz short loc_1A725 - -----------/

3) SOPHOS ANTIVIRUS (BID 28743, CVE-2008-1737)

Insufficient argument validation of hooked SSDT functions on Sophos lead to a DoS. An attacker, utilizing this flaw, would be able to locally reboot the whole system shutting down the Firewall or AV protection. Although neither the vendor nor Core Security has found a means of exploiting the flaw to execute arbitrary code, it has not been possible to rule this out.

In Sophos AV there is a problem in the arguments validation of 'NtCreateKey' function.

/----------- int __cdecl NtCreateKeyHook(PHANDLE pKeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULONG TitleIndex,PUNICODE_STRING Class, ULONG CreateOptions, PULONG Disposition)

[...] .text:0001C01C push 4 ; Alignment .text:0001C01E push 18h ; Length .text:0001C020 mov esi, [ebp+ObjectAttributes] .text:0001C023 push esi ; Address .text:0001C024 call ds:ProbeForRead - -----------/

Here it checks for 'ObjectAttributes' to be pointing to a valid address.

/----------- .text:0001C02A mov eax, [esi+OBJECT_ATTRIBUTES.RootDirectory] .text:0001C02D mov [ebp+Handle], eax .text:0001C030 mov esi, [esi+OBJECT_ATTRIBUTES.ObjectName] .text:0001C033 mov [ebp+pUnicodeString], esi - -----------/

Now, it gets from 'OBJECT_ATTRIBUTES' a handle and a pointer to an 'UNICODE_STRING' structure.

/----------- .text:0001C095 push 4 .text:0001C097 push 8 .text:0001C099 push esi .text:0001C09A mov ebx, ds:ProbeForRead .text:0001C0A0 call ebx ; ProbeForRead, it checks the pointer before the dereference.

.text:0001C0A2 mov eax, dword ptr [esi+UNICODE_STRING.Length] .text:0001C0A4 mov dword ptr [ebp+stUnicodeString.Length], eax .text:0001C0A7 mov esi, [esi+UNICODE_STRING.Buffer] ; And gets from the UNICODE_STRING structure ; a pointer to the unicode buffer. .text:0001C0AA mov [ebp+stUnicodeString.Buffer], esi .text:0001C0AD push 2 ; Alignment .text:0001C0AF shr eax, 10h .text:0001C0B2 push eax ; Length .text:0001C0B3 push esi ; Address .text:0001C0B4 call ebx ; ProbeForRead - -----------/

It does the check, but here is the problem

/----------- .text:0001C0B6 push gdwValue .text:0001C0BC lea eax, [ebp+stUnicodeString] .text:0001C0BF push eax .text:0001C0C0 push [ebp+Object] .text:0001C0C3 call sub_1cb40 - -----------/

The problem relies in the function not properly checking the 'Length' field of the 'UNICODE_STRING' structure. When doing the check, 'ProbeForRead' receives the length field of the structure as a parameter without any kind of validation.

So, if we set this field to 0, 'ProbeForRead' will not raise any exception even though we were passing it an invalid address. And it will crash when trying to access to the desired invalid memory.

/----------- sub_1cb40

[...] .text:0001CB5E xor esi, esi .text:0001CB60 mov [ebp+ms_exc.disabled], esi .text:0001CB63 mov edi, [ebp+pUnicodeString] .text:0001CB66 mov eax, [edi+UNICODE_STRING.Buffer] - -----------/

And here is where it will crash:

/----------- .text:0001CB69 cmp word ptr [eax], '\' ; Reference the first pointed byte - -----------/

4) RISING ANTIVIRUS (BID 28744, CVE-2008-1738)

In Rising antivirus the code of the 'NtOpenProcess' hook does not validates if the pointer to the structure

/----------- typedef struct _CLIENT_ID { HANDLE UniqueProcess; HANDLE UniqueThread;} - -----------/

is really pointing to mapped memory. So, when the code tries to dereference the pointer to check the 'CLIENT_ID->UniqueProcess' value, if it is pointing to invalid memory, will crash.

/----------- NtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId )

.text:00010EAA push ebp .text:00010EAB mov ebp, esp .text:00010EAD push esi .text:00010EAE mov esi, offset Addend .text:00010EB3 push edi .text:00010EB4 mov ecx, esi ; Addend .text:00010EB6 call ds:InterlockedIncrement .text:00010EBC call PsGetCurrentProcessId .text:00010EC1 cmp eax, dword_11C8C .text:00010EC7 jnz short loc_10ECE .text:00010EC9 .text:00010EC9 loc_10EC9: ; CODE XREF: sub_10EAA+37_j .text:00010EC9 push [ebp+ClientId] .text:00010ECC jmp short loc_10EF0 .text:00010ECE ; -

.text:00010ECE .text:00010ECE loc_10ECE: ; CODE XREF: sub_10EAA+1D_j .text:00010ECE call PsGetCurrentProcessId .text:00010ED3 mov ecx, dword_11C80 .text:00010ED9 push eax .text:00010EDA call sub_11070 .text:00010EDF test al, al .text:00010EE1 jnz short loc_10EC9 .text:00010EE3 call PsGetCurrentProcessId .text:00010EE8 mov edi, [ebp+ClientId] ; Here is the bug, if ClientId is pointing to an invalid address .text:00010EEB cmp eax, [edi] ; it will crash. .text:00010EED jnz short loc_10F0D - -----------/

Report Timeline

. 2008-01-11: Core Security Technologies found a security vulnerability in BitDefender antivirus. 2008-01-14: BitDefender team is contacted by Core. 2008-01-15: BitDefender team asks Core for technical description of the vulnerability. 2008-01-15: Technical details are sent to BitDefender team by Core. 2008-01-22: BitDefender notifies Core that a fix has been produced and the flaw was corrected through automatic updates. 2008-02-04: According to the original schedule, the CORE-2008-0320 advisory would be released at this date, but similar flaws in other antivirus products were discovered by Core exploit writers team. Considering all BitDefender users are patched, Core Security Technologies does not release the advisory and continues the research of this issue in other products. 2008-03-20: Core analyzes similar vulnerabilities in Comodo Firewall, Sophos Antivirus and Rising Antivirus. 2008-03-25: Core notifies the Comodo, Sophos and Rising teams of the vulnerabilities. 2008-03-27: Comodo team asks Core for technical description of the vulnerability. 2008-03-27: Technical details are sent to Comodo team by Core. 2008-03-31: Rising team asks Core for technical description of the vulnerability. 2008-04-01: Technical details are sent to Rising team by Core. 2008-04-02: Rising team inform Core that the flaw has been fixed in the Rising AV 2008 version. 2008-04-02: Sophos team asks Core for technical description of the vulnerability. 2008-04-07: Technical details are sent to Sophos team by Core. 2008-04-11: Sophos team informs that the flaw is found in one of the antivirus drivers, and fixing it will require a reboot for all of Sophos Windows customers. Sophos would like to fix the bug in the next major version (second quarter 2009), in particular considering the fact that they were unable to come up with any practical use of this vulnerability. 2008-04-14: Comodo notifies Core that a fix has been produced. 2008-04-14: Sophos informs Core that they will be able to release a fix to the vulnerability at the end of October 2008. 2008-04-21: Core responds that they will reschedule the publication to April 24th, 2008. Since the vulnerability is not critical, and has been found using publicly available tools, like the other vulnerabilities included in the advisory, Core doesn't see a reason to postpone the publication of the Sophos bug until October 2008. 2008-04-21: Sophos asks Core not to release details of the vulnerability until a fix is available, and not to publish Proof of Concept code. Sophos informs that they do not believe that arbitrary code execution is possible. 2008-04-24: Core responds that the advisory does not contain Proof of Concept code. Core confirms its intention of publishing the advisory, including the technical description, but decides to postpone it to April 28th, to give the participants more time to coordinate the release of public information. 2008-04-25: Sophos provides additional information, included in the "vendor information" section of the advisory. 2008-04-28: CORE-2008-0320 advisory is published.

References

[1] http://www.bitdefender.com [2] http://www.comodo.com [3] http://www.sophos.com [4] http://www.rising-global.com [5] http://www.matousec.com/downloads [6] http://www.matousec.com/info/articles/plague-in-security-software-drivers.php

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.

About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

Disclaimer

The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

GPG/PGP Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIFj4WyNibggitWa0RAkUcAJ9yUGXQQV5ZQ1J0R2U+MSTMRuHa4wCgkXh1 UGe5qGGTXrCSFfFX3JH6ovE= =3mt3 -----END PGP SIGNATURE-----

Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-200804-0396",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "personal firewall",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "comodo",
        "version": "2.4"
      },
      {
        "model": "personal firewall",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "comodo",
        "version": "3.0"
      },
      {
        "model": "personal firewall",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "comodo",
        "version": "pro"
      },
      {
        "model": "personal firewall",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "comodo",
        "version": "2.4"
      },
      {
        "model": "firewall pro",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "comodo",
        "version": "2.4.18.184"
      },
      {
        "model": "firewall pro",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "comodo",
        "version": "3.0"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "28742"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-002935"
      },
      {
        "db": "NVD",
        "id": "CVE-2008-1736"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200804-424"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:comodo:comodo_personal_firewall:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2008-1736"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Core Security",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200804-424"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2008-1736",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.2,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 3.9,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": true,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Local",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 7.2,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "CVE-2008-1736",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.2,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 3.9,
            "id": "VHN-31861",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:L/AC:L/AU:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2008-1736",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-200804-424",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-31861",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-31861"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-002935"
      },
      {
        "db": "NVD",
        "id": "CVE-2008-1736"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200804-424"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Comodo Firewall Pro before 3.0 does not properly validate certain parameters to hooked System Service Descriptor Table (SSDT) functions, which allows local users to cause a denial of service (system crash) via (1) a crafted OBJECT_ATTRIBUTES structure in a call to the NtDeleteFile function, which leads to improper validation of a ZwQueryObject result; and unspecified calls to the (2) NtCreateFile and (3) NtSetThreadContext functions, different vectors than CVE-2007-0709. This vulnerability CVE-2007-0709 Is a different vulnerability.Service disruption by local users via: ( System crash ) There is a possibility of being put into a state. (1) NtDeleteFile Crafted in a call to a function OBJECT_ATTRIBUTES Through the structure ZwQueryObject Trigger improper validation of results (2) NtCreateFile Call to function (3) NtSetThreadContext Call to function. Comodo Firewall Pro is prone to multiple local vulnerabilities. Attackers might also be able to gain elevated privileges by executing arbitrary machine code in the context of the kernel, but this has not been confirmed. \nComodo Firewall Pro 2.4.18.184 is vulnerable; other versions may also be affected. The NtDeleteFile, NtCreateFile, and NtSetThreadContext functions of the Comodo firewall do not validate parameters correctly. \u2026 . ----------------------------------------------------------------------\n\nSecunia Network Software Inspector 2.0 (NSI) - Public Beta\n\nThe Public Beta has ended. Thanks to all that participated. These\ncan be exploited to cause a DoS by calling the affected functions with\nspecially crafted arguments. \n\nThe vulnerabilities are reported in version 2.4.18.184. \n\nSOLUTION:\nUpgrade to version 3.0. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n\n      Core Security Technologies - CoreLabs Advisory\n           http://www.coresecurity.com/corelabs/\n\n Insufficient argument validation of hooked SSDT functions on\n             multiple Antivirus and Firewalls\n\n\n*Advisory Information*\n\nTitle: Insufficient argument validation of hooked SSDT functions on\nmultiple Antivirus and Firewalls\nAdvisory ID: CORE-2008-0320\nAdvisory URL: http://www.coresecurity.com/?action=item\u0026id=2249\nDate published: 2008-04-28\nDate of last update: 2008-04-28\nVendors contacted: BitDefender, Comodo, Sophos and Rising\nRelease mode: Coordinated release (BitDefender, Comodo, Rising), User\nrelease (Sophos)\n\n\n*Vulnerability Information*\n\nClass: Invalid memory reference\nRemotely Exploitable: No\nLocally Exploitable: Yes\nBugtraq ID: 28741, 28742, 28743, 28744\t\nCVE Name: CVE-2008-1735, CVE-2008-1736, CVE-2008-1737, CVE-2008-1738\t\n\n\n*Vulnerability Description*\n\nInsufficient argument validation of hooked SSDT functions on multiple\nAntivirus and Firewalls (BitDefender Antivirus [1], Comodo Firewall [2],\nSophos Antivirus [3] and Rising Antivirus [4]) have been found that\ncould lead to a Denial of Service (DoS) and possibly to code execution\nattacks. An attacker, utilizing these flaws, could be able to locally\nreboot the whole system shutting down the firewall or anti-virus\nprotection. \n\n\n*Vulnerable Packages*\n\n. BitDefender Antivirus 2008 Build 11.0.11\n. Sophos Antivirus 7.0.5\n. Rising Antivirus 19.60.0.0 and 19.66.0.0\n. Older versions may be affected, but were not checked. \n\n\n*Non-vulnerable Packages*\n\n. BitDefender Antivirus 2008 builds available through automatic updates,\nposterior to January 18th. Rising Antivirus 20.38.20\n\n\n*Vendor Information, Solutions and Workarounds*\n\n1) BITDEFENDER ANTIVIRUS (BID 28741, CVE-2008-1735)\n\nAccording to BitDefender, the flaw was not exploited by any malicious\napplication, and it was corrected through automatic updates. Information\non this issue can be found on BitDefender website at this location:\nhttp://kb.bitdefender.com/KB419-en--Security-vulnerability-in-BitDefender-2008.html. \n\nNon-vulnerable products from Sophos are earlier versions of Sophos\nAnti-Virus for Windows, Sophos Anti-Virus for non-Windows platforms and\nall other Sophos products. \n\nThe vulnerability is only exploitable if Runtime Behavioural Analysis is\nswitched on. Even then the exploit will only be effective if the end\nuser is using security settings that are lower than the defaults for\nmost web browsers today, or if the end user agrees to activate an\nActiveX or Java Applet from the webpage hosting the exploit. \n\nWorkarounds to avoid this vulnerability include:\n\na. Using the default security settings or higher on the latest version\nof your chosen web browser. In line with general security best practice\nwe would also encourage end users not to download ActiveX or Java\nApplets unless confident about their content. \n\nb. Turning off the Runtime Behavioural Analysis functionality within\nSophos Anti-Virus (customers will still benefit from Sophos Behavioural\nGenotype protection and other means of protecting endpoints against\nmalware). \n\nN.B. Should an exploit be released into the wild, Sophos will deploy\nprotection against that exploit. \n\nThe fix for this vulnerability requires customers to reboot their\nendpoints. Given the low severity of the vulnerability, to minimise\ndisruption to our customers Sophos will release the fix at the earliest\nopportunity that coincides with a necessary reboot of the product.\"\n\n\n4) RISING ANTIVIRUS (BID 28744, CVE-2008-1738)\n\nA fixed version of Rising Antivirus can be downloaded from:\nhttp://rsdownload.rising.com.cn/for_down/rsfree/ravolusrfree.exe\n\nAll Rising customers can also update up to a patched version through\nautomatic updates. \n\n\n*Credits*\n\nThese vulnerabilities (except the Rising one) were discovered by Damian\nSaura, Anibal Sacco, Dario Menichelli, Norberto Kueffner, Andres Blanco\ny Rodrigo Carvalho from Core Security Technologies, during Bugweek 2007. \nThe Rising vulnerability was discovered by Anibal Sacco from Core\nSecurity Technologies exploit writers team. \n\nThese vulnerabilities were researched by Anibal Sacco and Damian Saura\nfrom Core Security Technologies. \n\n\n*Technical Description / Proof of Concept Code*\n\nWe have found that BitDefender Antivirus, Rising Antivirus, Comodo\nFirewall and Sophos Antivirus have hooks that do not properly validate\nthe arguments of the hooked functions before accessing them, and lead to\nthe program trying to reference some invalid memory, leading in some\nscenarios to a BSOD (Blue Screen of Death). \n\nIn our tests we used the kernel hooks probing tool BSODhook [5] in order\nto find any kind of insufficient argument validation of hooked SSDT\nfunctions. From Matousec paper [6]:\n\n\"Hooking kernel functions by modifying the System Service Descriptor\nTable (SSDT) is a very popular method of implementation of additional\nsecurity features and is used frequently by personal firewalls and other\nsecurity and low-level software. Although undocumented and despised by\nMicrosoft, this technique can be implemented in a correct and stable\nway. However, many software vendors do not follow the rules and\nrecommendations for kernel-mode code writing and many drivers that\nimplement SSDT hooking do not properly validate the parameters of the\nhooking functions.\"\n\n\"Hooking SSDT functions requires extra caution. SSDT function handlers\nare executed in the kernel mode but their callers are executed in the\nuser mode. Hence all function arguments come from the user mode. This is\nwhy it is necessary to validate these arguments properly. Otherwise a\nsimple user call can easily crash the whole system. This bug usually\nresults in a system crash. However, it may happen that this bug is even\nmore dangerous and may lead to the execution of an arbitrary code in the\nprivileged kernel mode.\"\n\nA local DoS attack, despite not being a very sophisticated intrusion\nattack, could be used as an accessory under several scenarios. It is\ncommonly used by viruses as added feature, when the specific AV is\ndetected on the infected machine, crashing the system just to annoy. Or\nby a human attacker, after a succesful remote intrusion with\nunprivileged credentials to make a computer resource unavailable to its\nintended users. Besides, this could be a very valuable resource when\ntrying to fake some service that answers broadcasts request like a DHCP,\nallowing to start the service in another location replacing the original\none. \n\n\n1) BITDEFENDER ANTIVIRUS (BID 28741, CVE-2008-1735)\n\nBitDefender fails to validate the pointer to the \u0027CLIENT_ID\u0027 structure\nprovided to \u0027NtOpenProcess\u0027. So, if we pass an invalid pointer, we will\ncrash the whole system. \n\n/-----------\nNtOpenProcess(PHANDLE ProcessHandle,\nACCESS_MASK AccessMask,\nPOBJECT_ATTRIBUTES ObjectAttributes,\nPCLIENT_ID ClientId )\n\n.text:00010ADE  push    0Ch\n.text:00010AE0  push    offset stru_114E8\n.text:00010AE5  call    __SEH_prolog\n.text:00010AEA  call    KeGetCurrentThread\n.text:00010AEF  xor     ebx, ebx\n.text:00010AF1  cmp     [eax+140h], bl\n.text:00010AF7  jz      short loc_10B0D\n.text:00010AF9  call    PsGetCurrentProcessId\n.text:00010AFE  call    PsGetCurrentProcessId\n.text:00010B03  push    eax\n.text:00010B04  call    sub_10724\n.text:00010B09  test    eax, eax\n.text:00010B0B  jnz     short loc_10B12\n.text:00010B0D\n.text:00010B0D loc_10B0D:                   ; CODE XREF: sub_10ADE+19_j\n.text:00010B0D  push    [ebp+ClientId]\n.text:00010B10  jmp     short loc_10B73\n.text:00010B12 ;\n-\n---------------------------------------------------------------------------\n.text:00010B12\n.text:00010B12 loc_10B12:                   ; CODE XREF: sub_10ADE+2D_j\n.text:00010B12  mov     edi, [ebp+ClientId]\n.text:00010B15  cmp     edi, ebx            ; Little check to avoid a\nNull Pointer\n- -----------/\n\nHere it gets the pointer to the \u0027ClientId\u0027 value, and if it is non zero\n(\u0027!= 0\u0027) it does not care where it is pointing to. \n\n/-----------\n.text:00010B17  jnz     short loc_10B1C\n.text:00010B19  push    ebx\n.text:00010B1A  jmp     short loc_10B73\n.text:00010B1C ;\n-\n---------------------------------------------------------------------------\n.text:00010B1C\n.text:00010B1C loc_10B1C:                   ; CODE XREF: sub_10ADE+39_j\n.text:00010B1C  mov     [ebp+ms_exc.disabled], ebx\n.text:00010B1F  mov     esi, [edi]          ; Here it crashes\n- -----------/\n\nIt access to that memory, and if that is invalid memory the system will\ncrash. \n\n/-----------\n.text:00010B21                 mov     [ebp+var_1C], esi\n.text:00010B24                 or      [ebp+ms_exc.disabled], 0FFFFFFFFh\n.text:00010B28                 jmp     short loc_10B3B\n.text:00010B28 sub_10ADE       endp\n- -----------/\n\n\n2) COMODO FIREWALL PRO (BID 28742, CVE-2008-1736)\n\nIn Comodo there are problems in the arguments validation of\n\u0027NtDeleteFile\u0027, \u0027NtCreateFile\u0027 and \u0027NtSetThreadContext\u0027 functions. \n\u0027NtDeleteFile\u0027 receives just one parameter, a pointer to an\n\u0027OBJECT_ATTRIBUTES\u0027 structure. These attributes would include the\n\u0027ObjectName\u0027 and the \u0027SECURITY_DESCRIPTOR\u0027, for example. This is the\nhook placed by Comodo at \u0027NtDeleteFile\u0027. \n\n/-----------\nNTDeleteFile (POBJECT_ATTRIBUTES ObjectAttributes)\n\n.text:0001ACB0  push    1Ch\n.text:0001ACB2  push    offset stru_1E3F0\n.text:0001ACB7  call    __SEH_prolog\n.text:0001ACBC  xor     ebx, ebx\n.text:0001ACBE  inc     ebx\n.text:0001ACBF  mov     [ebp+var_1C], ebx\n.text:0001ACC2  xor     esi, esi\n.text:0001ACC4  mov     [ebp+var_24], esi\n.text:0001ACC7  mov     [ebp+var_20], ebx\n.text:0001ACCA  mov     [ebp+var_28], esi\n.text:0001ACCD  mov     [ebp+ms_exc.disabled], esi\n.text:0001ACD0  call    ds:ExGetPreviousMode\n.text:0001ACD6  mov     edi, [ebp+ObjectAttributes]\n- -----------/\n\nHere it does a lot of \u0027ProbeForRead\u0027 checks to see if the pointers of\nthe structure are valid. Nice! (\u0027EDI\u0027 still has a pointer to the\n\u0027OBJECT_ATTRIBUTES\u0027 structure)\n\n/-----------\n.... \n\nsub_1A692\n.text:0001A692  push    28h\n.text:0001A694  push    offset stru_1E3C0\n.text:0001A699  call    __SEH_prolog\n.text:0001A69E  xor     edi, edi\n.... \n.text:0001A6B3  mov     [ebp+ms_exc.disabled], edi\n.text:0001A6B6  push    72747052h       ; Tag\n.text:0001A6BB  mov     ebx, 400h\n.text:0001A6C0  push    ebx             ; NumberOfBytes\n.text:0001A6C1  push    1               ; PoolType\n.text:0001A6C3  call    ds:ExAllocatePoolWithTag  ; Allocates memory to\nhold the data retrieved by ZwQueryObject\n.text:0001A6C9  mov     esi, eax\n.text:0001A6CB  mov     [ebp+var_28], esi\n.text:0001A6CE  cmp     esi, edi\n.text:0001A6D0  jz      short loc_1A74F\n\n.text:0001A6D2  mov     edi, [ebp+ObjectAttributes]\n.text:0001A6D5  mov     eax, [edi+OBJECT_ATTRIBUTES.RootDirectory] ;\nHere, the code retrieves the RootDirectory\u0027s field value from the\nstructure, controled by us. \n.text:0001A6D8  test    eax, eax\n.text:0001A6DA  jz      short loc_1A71B\n\n.text:0001A6DC  push    0               ; ReturnLength\n.text:0001A6DE  push    ebx             ; ObjectInformationLength\n.text:0001A6DF  push    esi             ; ObjectInformation\n; buffer where ZwQueryObject will put the object information\n\n.text:0001A6E0  push    1               ; ObjectInformationClass\n; Specifies an OBJECT_INFORMATION_CLASS value that determines the type\n; of information returned in the ObjectInformation buffer. It\u0027s using\n; an undocumented type (OBJECT_NAME_INFORMATION) which returns an\nUNICODE_STRING structure\n.text:0001A6E2  push    eax             ; ObjectHandle\n; Now, the user-controlled handle \u0027ll be used here to identify the\nobject by ZwQueryObject,\n.text:0001A6E3  call    ds:ZwQueryObject\n.text:0001A6E9  mov     [ebp+var_20], eax\n.text:0001A6EC  test    eax, eax\n.text:0001A6EE  jl      short loc_1A746\n- -----------/\n\nHere is where the problem shows up. The code does not properly validates\nthe data retrieved by \u0027ZwQueryObject\u0027, expecting an \u0027UNICODE_STRING\u0027\nstructure. But it is possible to make multiple calls to the function\nusing different handlers to obtain a null structure crashing the system\nwhen the code tries to dereference its \u0027Buffer\u0027 field. \n\n/-----------\n.text:0001A6F0  movzx   eax, [esi+UNICODE_STRING.Length]\n.text:0001A6F3  shr     eax, 1\n.text:0001A6F5  mov     ecx, [esi+UNICODE_STRING.Buffer]\n.text:0001A6F8  movzx   eax, word ptr [ecx+eax*2-2] ; Here is the problem\n.text:0001A6FD  mov     [ebp+var_30], eax\n.text:0001A700  cmp     ax, 5Ch\n.text:0001A704  jz      short loc_1A725\n- -----------/\n\n\n3) SOPHOS ANTIVIRUS (BID 28743, CVE-2008-1737)\n\nInsufficient argument validation of hooked SSDT functions on Sophos lead\nto a DoS. An attacker, utilizing this flaw, would be able to locally\nreboot the whole system shutting down the Firewall or AV protection. \nAlthough neither the vendor nor Core Security has found a means of\nexploiting the flaw to execute arbitrary code, it has not been possible\nto rule this out. \n\nIn Sophos AV there is a problem in the arguments validation of\n\u0027NtCreateKey\u0027 function. \n\n/-----------\nint __cdecl NtCreateKeyHook(PHANDLE pKeyHandle,\nACCESS_MASK DesiredAccess,\nPOBJECT_ATTRIBUTES ObjectAttributes,\nULONG TitleIndex,PUNICODE_STRING Class,\nULONG CreateOptions,\nPULONG Disposition)\n\n[...]\n.text:0001C01C  push    4               ; Alignment\n.text:0001C01E  push    18h             ; Length\n.text:0001C020  mov     esi, [ebp+ObjectAttributes]\n.text:0001C023  push    esi             ; Address\n.text:0001C024  call    ds:ProbeForRead\n- -----------/\n\nHere it checks for \u0027ObjectAttributes\u0027 to be pointing to a valid address. \n\n/-----------\n.text:0001C02A  mov     eax, [esi+OBJECT_ATTRIBUTES.RootDirectory]\n.text:0001C02D  mov     [ebp+Handle], eax\n.text:0001C030  mov     esi, [esi+OBJECT_ATTRIBUTES.ObjectName]\n.text:0001C033  mov     [ebp+pUnicodeString], esi\n- -----------/\n\nNow, it gets from \u0027OBJECT_ATTRIBUTES\u0027 a handle and a pointer to an\n\u0027UNICODE_STRING\u0027 structure. \n\n/-----------\n.text:0001C095  push    4\n.text:0001C097  push    8\n.text:0001C099  push    esi\n.text:0001C09A  mov     ebx, ds:ProbeForRead\n.text:0001C0A0  call    ebx             ; ProbeForRead, it checks the\npointer before the dereference. \n\n.text:0001C0A2  mov     eax, dword ptr [esi+UNICODE_STRING.Length]\n.text:0001C0A4  mov     dword ptr [ebp+stUnicodeString.Length], eax\n.text:0001C0A7  mov     esi, [esi+UNICODE_STRING.Buffer]   ; And gets\nfrom the UNICODE_STRING structure\n; a pointer to the unicode buffer. \n.text:0001C0AA  mov     [ebp+stUnicodeString.Buffer], esi\n.text:0001C0AD  push    2               ; Alignment\n.text:0001C0AF  shr     eax, 10h\n.text:0001C0B2  push    eax             ; Length\n.text:0001C0B3  push    esi             ; Address\n.text:0001C0B4  call    ebx             ; ProbeForRead\n- -----------/\n\nIt does the check, but here is the problem\n\n/-----------\n.text:0001C0B6  push    gdwValue\n.text:0001C0BC  lea     eax, [ebp+stUnicodeString]\n.text:0001C0BF  push    eax\n.text:0001C0C0  push    [ebp+Object]\n.text:0001C0C3  call    sub_1cb40\n- -----------/\n\nThe problem relies in the function not properly checking the \u0027Length\u0027\nfield of the \u0027UNICODE_STRING\u0027 structure. When doing the check,\n\u0027ProbeForRead\u0027 receives the length field of the structure as a parameter\nwithout any kind of validation. \n\nSo, if we set this field to 0, \u0027ProbeForRead\u0027 will not raise any\nexception even though we were passing it an invalid address. And it will\ncrash when trying to access to the desired invalid memory. \n\n/-----------\nsub_1cb40\n\n[...]\n.text:0001CB5E  xor     esi, esi\n.text:0001CB60  mov     [ebp+ms_exc.disabled], esi\n.text:0001CB63  mov     edi, [ebp+pUnicodeString]\n.text:0001CB66  mov     eax, [edi+UNICODE_STRING.Buffer]\n- -----------/\n\nAnd here is where it will crash:\n\n/-----------\n.text:0001CB69  cmp     word ptr [eax], \u0027\\\u0027  ; Reference the first\npointed byte\n- -----------/\n\n\n4) RISING ANTIVIRUS (BID 28744, CVE-2008-1738)\n\nIn Rising antivirus the code of the \u0027NtOpenProcess\u0027 hook does not\nvalidates if the pointer to the structure\n\n/-----------\ntypedef struct _CLIENT_ID {\nHANDLE  UniqueProcess;\nHANDLE  UniqueThread;}\n- -----------/\n\nis really pointing to mapped memory. So, when the code tries to\ndereference the pointer to check the \u0027CLIENT_ID-\u003eUniqueProcess\u0027 value,\nif it is pointing to invalid memory, will crash. \n\n/-----------\nNtOpenProcess( OUT PHANDLE ProcessHandle,\nIN ACCESS_MASK AccessMask,\nIN POBJECT_ATTRIBUTES ObjectAttributes,\nIN PCLIENT_ID ClientId )\n\n.text:00010EAA  push    ebp\n.text:00010EAB  mov     ebp, esp\n.text:00010EAD  push    esi\n.text:00010EAE  mov     esi, offset Addend\n.text:00010EB3  push    edi\n.text:00010EB4  mov     ecx, esi            ; Addend\n.text:00010EB6  call    ds:InterlockedIncrement\n.text:00010EBC  call    PsGetCurrentProcessId\n.text:00010EC1  cmp     eax, dword_11C8C\n.text:00010EC7  jnz     short loc_10ECE\n.text:00010EC9\n.text:00010EC9 loc_10EC9:                   ; CODE XREF: sub_10EAA+37_j\n.text:00010EC9  push    [ebp+ClientId]\n.text:00010ECC  jmp     short loc_10EF0\n.text:00010ECE ;\n-\n---------------------------------------------------------------------------\n.text:00010ECE\n.text:00010ECE loc_10ECE:                   ; CODE XREF: sub_10EAA+1D_j\n.text:00010ECE  call    PsGetCurrentProcessId\n.text:00010ED3  mov     ecx, dword_11C80\n.text:00010ED9  push    eax\n.text:00010EDA  call    sub_11070\n.text:00010EDF  test    al, al\n.text:00010EE1  jnz     short loc_10EC9\n.text:00010EE3  call    PsGetCurrentProcessId\n.text:00010EE8  mov     edi, [ebp+ClientId] ; Here is the bug, if\nClientId is pointing to an invalid address\n.text:00010EEB  cmp     eax, [edi]\t        ; it will crash. \n.text:00010EED  jnz     short loc_10F0D\n- -----------/\n\n\n*Report Timeline*\n\n. 2008-01-11: Core Security Technologies found a security vulnerability\nin BitDefender antivirus. 2008-01-14: BitDefender team is contacted by Core. 2008-01-15: BitDefender team asks Core for technical description of\nthe vulnerability. 2008-01-15: Technical details are sent to BitDefender team by Core. 2008-01-22: BitDefender notifies Core that a fix has been produced and\nthe flaw was corrected through automatic updates. 2008-02-04: According to the original schedule, the CORE-2008-0320\nadvisory would be released at this date, but similar flaws in other\nantivirus products were discovered by Core exploit writers team. \nConsidering all BitDefender users are patched, Core Security\nTechnologies does not release the advisory and continues the research of\nthis issue in other products. 2008-03-20: Core analyzes similar vulnerabilities in Comodo Firewall,\nSophos Antivirus and Rising Antivirus. 2008-03-25: Core notifies the Comodo, Sophos and Rising teams of the\nvulnerabilities. 2008-03-27: Comodo team asks Core for technical description of the\nvulnerability. 2008-03-27: Technical details are sent to Comodo team by Core. 2008-03-31: Rising team asks Core for technical description of the\nvulnerability. 2008-04-01: Technical details are sent to Rising team by Core. 2008-04-02: Rising team inform Core that the flaw has been fixed in\nthe Rising AV 2008 version. 2008-04-02: Sophos team asks Core for technical description of the\nvulnerability. 2008-04-07: Technical details are sent to Sophos team by Core. 2008-04-11: Sophos team informs that the flaw is found in one of the\nantivirus drivers, and fixing it will require a reboot for all of Sophos\nWindows customers. Sophos would like to fix the bug in the next major\nversion (second quarter 2009), in particular considering the fact that\nthey were unable to come up with any practical use of this vulnerability. 2008-04-14: Comodo notifies Core that a fix has been produced. 2008-04-14: Sophos informs Core that they will be able to release a\nfix to the vulnerability at the end of October 2008. 2008-04-21: Core responds that they will reschedule the publication to\nApril 24th, 2008. Since the vulnerability is not critical, and has been\nfound using publicly available tools, like the other vulnerabilities\nincluded in the advisory, Core doesn\u0027t see a reason to postpone the\npublication of the Sophos bug until October 2008. 2008-04-21: Sophos asks Core not to release details of the\nvulnerability until a fix is available, and not to publish Proof of\nConcept code. Sophos informs that they do not believe that arbitrary\ncode execution is possible. 2008-04-24: Core responds that the advisory does not contain Proof of\nConcept code. Core confirms its intention of publishing the advisory,\nincluding the technical description, but decides to postpone it to April\n28th, to give the participants more time to coordinate the release of\npublic information. 2008-04-25: Sophos provides additional information, included in the\n\"vendor information\" section of the advisory. 2008-04-28: CORE-2008-0320 advisory is published. \n\n\n*References*\n\n[1] http://www.bitdefender.com\n[2] http://www.comodo.com\n[3] http://www.sophos.com\n[4] http://www.rising-global.com\n[5] http://www.matousec.com/downloads\n[6]\nhttp://www.matousec.com/info/articles/plague-in-security-software-drivers.php\n\n\n*About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs/. \n\n\n*About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company\u0027s flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com. \n\n\n*Disclaimer*\n\nThe contents of this advisory are copyright (c) 2008 Core Security\nTechnologies and (c) 2008 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given. \n\n\n*GPG/PGP Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.7 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niD8DBQFIFj4WyNibggitWa0RAkUcAJ9yUGXQQV5ZQ1J0R2U+MSTMRuHa4wCgkXh1\nUGe5qGGTXrCSFfFX3JH6ovE=\n=3mt3\n-----END PGP SIGNATURE-----\n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2008-1736"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-002935"
      },
      {
        "db": "BID",
        "id": "28742"
      },
      {
        "db": "VULHUB",
        "id": "VHN-31861"
      },
      {
        "db": "PACKETSTORM",
        "id": "66234"
      },
      {
        "db": "PACKETSTORM",
        "id": "65911"
      }
    ],
    "trust": 2.16
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2008-1736",
        "trust": 2.9
      },
      {
        "db": "BID",
        "id": "28742",
        "trust": 2.0
      },
      {
        "db": "SECUNIA",
        "id": "30006",
        "trust": 1.8
      },
      {
        "db": "VUPEN",
        "id": "ADV-2008-1383",
        "trust": 1.7
      },
      {
        "db": "SECTRACK",
        "id": "1019944",
        "trust": 1.7
      },
      {
        "db": "SREASON",
        "id": "3838",
        "trust": 1.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-002935",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200804-424",
        "trust": 0.7
      },
      {
        "db": "XF",
        "id": "42082",
        "trust": 0.6
      },
      {
        "db": "BUGTRAQ",
        "id": "20080428 CORE-2008-0320 - INSUFFICIENT ARGUMENT VALIDATION OF HOOKED SSDT FUNCTIONS ON MULTIPLE ANTIVIRUS AND FIREWALLS",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-31861",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "66234",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "65911",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-31861"
      },
      {
        "db": "BID",
        "id": "28742"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-002935"
      },
      {
        "db": "PACKETSTORM",
        "id": "66234"
      },
      {
        "db": "PACKETSTORM",
        "id": "65911"
      },
      {
        "db": "NVD",
        "id": "CVE-2008-1736"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200804-424"
      }
    ]
  },
  "id": "VAR-200804-0396",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-31861"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T13:10:13.498000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "http://personalfirewall.comodo.com/"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-002935"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-Other",
        "trust": 1.0
      },
      {
        "problemtype": "CWE-DesignError",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-002935"
      },
      {
        "db": "NVD",
        "id": "CVE-2008-1736"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.0,
        "url": "http://www.coresecurity.com/?action=item\u0026id=2249"
      },
      {
        "trust": 1.7,
        "url": "http://www.securityfocus.com/bid/28742"
      },
      {
        "trust": 1.7,
        "url": "http://www.personalfirewall.comodo.com/release_notes.html"
      },
      {
        "trust": 1.7,
        "url": "http://securitytracker.com/id?1019944"
      },
      {
        "trust": 1.7,
        "url": "http://secunia.com/advisories/30006"
      },
      {
        "trust": 1.7,
        "url": "http://securityreason.com/securityalert/3838"
      },
      {
        "trust": 1.1,
        "url": "http://www.securityfocus.com/archive/1/491405/100/0/threaded"
      },
      {
        "trust": 1.1,
        "url": "http://www.vupen.com/english/advisories/2008/1383"
      },
      {
        "trust": 1.1,
        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42082"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1736"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-1736"
      },
      {
        "trust": 0.6,
        "url": "http://xforce.iss.net/xforce/xfdb/42082"
      },
      {
        "trust": 0.6,
        "url": "http://www.securityfocus.com/archive/1/archive/1/491405/100/0/threaded"
      },
      {
        "trust": 0.6,
        "url": "http://www.frsirt.com/english/advisories/2008/1383"
      },
      {
        "trust": 0.3,
        "url": "http://www.comodo.com/"
      },
      {
        "trust": 0.2,
        "url": "http://www.personalfirewall.comodo.com/download_firewall.html"
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com/?action=item\u0026amp;id=2249"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/product/14060/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/secunia_security_advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/30006/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/network_software_inspector_2/"
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com/index.php5?module=contentmod\u0026action=item\u0026id=2249"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/about_secunia_advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/"
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com."
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2008-1736"
      },
      {
        "trust": 0.1,
        "url": "http://www.comodo.com"
      },
      {
        "trust": 0.1,
        "url": "http://www.matousec.com/info/articles/plague-in-security-software-drivers.php"
      },
      {
        "trust": 0.1,
        "url": "http://enigmail.mozdev.org"
      },
      {
        "trust": 0.1,
        "url": "http://www.bitdefender.com"
      },
      {
        "trust": 0.1,
        "url": "http://lists.grok.org.uk/full-disclosure-charter.html"
      },
      {
        "trust": 0.1,
        "url": "http://rsdownload.rising.com.cn/for_down/rsfree/ravolusrfree.exe"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2008-1738"
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com/corelabs/"
      },
      {
        "trust": 0.1,
        "url": "http://kb.bitdefender.com/kb419-en--security-vulnerability-in-bitdefender-2008.html."
      },
      {
        "trust": 0.1,
        "url": "http://www.sophos.com"
      },
      {
        "trust": 0.1,
        "url": "http://www.matousec.com/downloads"
      },
      {
        "trust": 0.1,
        "url": "http://www.rising-global.com"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2008-1735"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2008-1737"
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com/corelabs/."
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-31861"
      },
      {
        "db": "BID",
        "id": "28742"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-002935"
      },
      {
        "db": "PACKETSTORM",
        "id": "66234"
      },
      {
        "db": "PACKETSTORM",
        "id": "65911"
      },
      {
        "db": "NVD",
        "id": "CVE-2008-1736"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200804-424"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-31861"
      },
      {
        "db": "BID",
        "id": "28742"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-002935"
      },
      {
        "db": "PACKETSTORM",
        "id": "66234"
      },
      {
        "db": "PACKETSTORM",
        "id": "65911"
      },
      {
        "db": "NVD",
        "id": "CVE-2008-1736"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200804-424"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2008-04-30T00:00:00",
        "db": "VULHUB",
        "id": "VHN-31861"
      },
      {
        "date": "2008-04-28T00:00:00",
        "db": "BID",
        "id": "28742"
      },
      {
        "date": "2012-06-26T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2008-002935"
      },
      {
        "date": "2008-05-12T14:06:04",
        "db": "PACKETSTORM",
        "id": "66234"
      },
      {
        "date": "2008-04-28T22:43:55",
        "db": "PACKETSTORM",
        "id": "65911"
      },
      {
        "date": "2008-04-30T00:10:00",
        "db": "NVD",
        "id": "CVE-2008-1736"
      },
      {
        "date": "2008-04-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200804-424"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-10-11T00:00:00",
        "db": "VULHUB",
        "id": "VHN-31861"
      },
      {
        "date": "2008-04-29T01:26:00",
        "db": "BID",
        "id": "28742"
      },
      {
        "date": "2012-06-26T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2008-002935"
      },
      {
        "date": "2018-10-11T20:36:42.400000",
        "db": "NVD",
        "id": "CVE-2008-1736"
      },
      {
        "date": "2009-01-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200804-424"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "BID",
        "id": "28742"
      },
      {
        "db": "PACKETSTORM",
        "id": "66234"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200804-424"
      }
    ],
    "trust": 1.0
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Comodo Firewall Pro Service disruption in  (DoS) Vulnerabilities",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-002935"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Design Error",
    "sources": [
      {
        "db": "BID",
        "id": "28742"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200804-424"
      }
    ],
    "trust": 0.9
  }
}

FKIE_CVE-2008-1736

Vulnerability from fkie_nvd - Published: 2008-04-30 00:10 - Updated: 2025-04-09 00:30

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://secunia.com/advisories/30006	Vendor Advisory
cve@mitre.org	http://securityreason.com/securityalert/3838
cve@mitre.org	http://securitytracker.com/id?1019944
cve@mitre.org	http://www.coresecurity.com/?action=item&id=2249
cve@mitre.org	http://www.personalfirewall.comodo.com/release_notes.html
cve@mitre.org	http://www.securityfocus.com/archive/1/491405/100/0/threaded
cve@mitre.org	http://www.securityfocus.com/bid/28742	Patch
cve@mitre.org	http://www.vupen.com/english/advisories/2008/1383
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/42082
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/30006	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://securityreason.com/securityalert/3838
af854a3a-2127-422b-91ae-364da2661108	http://securitytracker.com/id?1019944
af854a3a-2127-422b-91ae-364da2661108	http://www.coresecurity.com/?action=item&id=2249
af854a3a-2127-422b-91ae-364da2661108	http://www.personalfirewall.comodo.com/release_notes.html
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/491405/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/28742	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2008/1383
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/42082

Impacted products

	Vendor	Product	Version
	comodo	comodo_personal_firewall	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:comodo:comodo_personal_firewall:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BFD97FB7-EB99-4422-82FF-796EDB70C05F",
              "versionEndIncluding": "2.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Comodo Firewall Pro before 3.0 does not properly validate certain parameters to hooked System Service Descriptor Table (SSDT) functions, which allows local users to cause a denial of service (system crash) via (1) a crafted OBJECT_ATTRIBUTES structure in a call to the NtDeleteFile function, which leads to improper validation of a ZwQueryObject result; and unspecified calls to the (2) NtCreateFile and (3) NtSetThreadContext functions, different vectors than CVE-2007-0709."
    },
    {
      "lang": "es",
      "value": "Comodo Firewall Pro anterior a 3.0 no valida adecuadamente algunos par\u00e1metros que enganchan con las funciones de la Tabla de Descriptores de Servicios del Sistema (SSDT), lo que permite  a usuarios locales producir una denegaci\u00f3n de servicio (ca\u00edda del sistema) mediante (1) una estructura OBJECT_ATTRIBUTES manipulada en una llamada a la funci\u00f3n NtDeleteFile, lo que conduce a una validaci\u00f3n incorrecta de un resultado ZwQueryObject; y llamadas no especificadas a las funciones (2) NtCreateFile y (3) NtSetThreadContext, diferentes vectores que en CVE-2007-0709"
    }
  ],
  "id": "CVE-2008-1736",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 7.2,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 10.0,
        "obtainAllPrivilege": true,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2008-04-30T00:10:00.000",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/30006"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://securityreason.com/securityalert/3838"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://securitytracker.com/id?1019944"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.coresecurity.com/?action=item\u0026id=2249"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.personalfirewall.comodo.com/release_notes.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/491405/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/28742"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vupen.com/english/advisories/2008/1383"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42082"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/30006"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://securityreason.com/securityalert/3838"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://securitytracker.com/id?1019944"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.coresecurity.com/?action=item\u0026id=2249"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.personalfirewall.comodo.com/release_notes.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/491405/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/28742"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2008/1383"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42082"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-XWMV-W8FF-6VR2

Vulnerability from github – Published: 2022-05-01 23:42 – Updated: 2022-05-01 23:42

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2008-1736"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-04-30T00:10:00Z",
    "severity": "HIGH"
  },
  "details": "Comodo Firewall Pro before 3.0 does not properly validate certain parameters to hooked System Service Descriptor Table (SSDT) functions, which allows local users to cause a denial of service (system crash) via (1) a crafted OBJECT_ATTRIBUTES structure in a call to the NtDeleteFile function, which leads to improper validation of a ZwQueryObject result; and unspecified calls to the (2) NtCreateFile and (3) NtSetThreadContext functions, different vectors than CVE-2007-0709.",
  "id": "GHSA-xwmv-w8ff-6vr2",
  "modified": "2022-05-01T23:42:57Z",
  "published": "2022-05-01T23:42:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1736"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42082"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/30006"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/3838"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1019944"
    },
    {
      "type": "WEB",
      "url": "http://www.coresecurity.com/?action=item\u0026id=2249"
    },
    {
      "type": "WEB",
      "url": "http://www.personalfirewall.comodo.com/release_notes.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/491405/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28742"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/1383"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2008-1736

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2008-1736

Aliases

CVE-2008-1736

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2008-1736",
    "description": "Comodo Firewall Pro before 3.0 does not properly validate certain parameters to hooked System Service Descriptor Table (SSDT) functions, which allows local users to cause a denial of service (system crash) via (1) a crafted OBJECT_ATTRIBUTES structure in a call to the NtDeleteFile function, which leads to improper validation of a ZwQueryObject result; and unspecified calls to the (2) NtCreateFile and (3) NtSetThreadContext functions, different vectors than CVE-2007-0709.",
    "id": "GSD-2008-1736"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2008-1736"
      ],
      "details": "Comodo Firewall Pro before 3.0 does not properly validate certain parameters to hooked System Service Descriptor Table (SSDT) functions, which allows local users to cause a denial of service (system crash) via (1) a crafted OBJECT_ATTRIBUTES structure in a call to the NtDeleteFile function, which leads to improper validation of a ZwQueryObject result; and unspecified calls to the (2) NtCreateFile and (3) NtSetThreadContext functions, different vectors than CVE-2007-0709.",
      "id": "GSD-2008-1736",
      "modified": "2023-12-13T01:23:02.943305Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2008-1736",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Comodo Firewall Pro before 3.0 does not properly validate certain parameters to hooked System Service Descriptor Table (SSDT) functions, which allows local users to cause a denial of service (system crash) via (1) a crafted OBJECT_ATTRIBUTES structure in a call to the NtDeleteFile function, which leads to improper validation of a ZwQueryObject result; and unspecified calls to the (2) NtCreateFile and (3) NtSetThreadContext functions, different vectors than CVE-2007-0709."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "ADV-2008-1383",
            "refsource": "VUPEN",
            "url": "http://www.vupen.com/english/advisories/2008/1383"
          },
          {
            "name": "30006",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/30006"
          },
          {
            "name": "http://www.personalfirewall.comodo.com/release_notes.html",
            "refsource": "MISC",
            "url": "http://www.personalfirewall.comodo.com/release_notes.html"
          },
          {
            "name": "3838",
            "refsource": "SREASON",
            "url": "http://securityreason.com/securityalert/3838"
          },
          {
            "name": "28742",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/28742"
          },
          {
            "name": "http://www.coresecurity.com/?action=item\u0026id=2249",
            "refsource": "MISC",
            "url": "http://www.coresecurity.com/?action=item\u0026id=2249"
          },
          {
            "name": "1019944",
            "refsource": "SECTRACK",
            "url": "http://securitytracker.com/id?1019944"
          },
          {
            "name": "comodo-ssdt-dos(42082)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42082"
          },
          {
            "name": "20080428 CORE-2008-0320 - Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/491405/100/0/threaded"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:comodo:comodo_personal_firewall:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2008-1736"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Comodo Firewall Pro before 3.0 does not properly validate certain parameters to hooked System Service Descriptor Table (SSDT) functions, which allows local users to cause a denial of service (system crash) via (1) a crafted OBJECT_ATTRIBUTES structure in a call to the NtDeleteFile function, which leads to improper validation of a ZwQueryObject result; and unspecified calls to the (2) NtCreateFile and (3) NtSetThreadContext functions, different vectors than CVE-2007-0709."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.coresecurity.com/?action=item\u0026id=2249",
              "refsource": "MISC",
              "tags": [],
              "url": "http://www.coresecurity.com/?action=item\u0026id=2249"
            },
            {
              "name": "http://www.personalfirewall.comodo.com/release_notes.html",
              "refsource": "MISC",
              "tags": [],
              "url": "http://www.personalfirewall.comodo.com/release_notes.html"
            },
            {
              "name": "28742",
              "refsource": "BID",
              "tags": [
                "Patch"
              ],
              "url": "http://www.securityfocus.com/bid/28742"
            },
            {
              "name": "1019944",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://securitytracker.com/id?1019944"
            },
            {
              "name": "30006",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/30006"
            },
            {
              "name": "3838",
              "refsource": "SREASON",
              "tags": [],
              "url": "http://securityreason.com/securityalert/3838"
            },
            {
              "name": "ADV-2008-1383",
              "refsource": "VUPEN",
              "tags": [],
              "url": "http://www.vupen.com/english/advisories/2008/1383"
            },
            {
              "name": "comodo-ssdt-dos(42082)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42082"
            },
            {
              "name": "20080428 CORE-2008-0320 - Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/491405/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.2,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 10.0,
          "obtainAllPrivilege": true,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2018-10-11T20:36Z",
      "publishedDate": "2008-04-30T00:10Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2008-1736 (GCVE-0-2008-1736)

VAR-200804-0396

FKIE_CVE-2008-1736

GHSA-XWMV-W8FF-6VR2

GSD-2008-1736

Tags

Sightings

Nomenclature