CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
5.1%
Title: CORE FORCE Kernel Buffer Overflow **Advisory ID:**CORE-2007-1119 **Advisory URL: **https://www.coresecurity.com/core-labs/advisories/aol-icq-pro-2003b-heap-overflow-vulnerability **Date published:**2008-01-17 **Date of last update:**2008-01-17 Release mode: Coordinated release
Class: Input validation error (Buffer Overflow) **Remotely Exploitable:**No **Locally Exploitable: **Yes **Bugtraq ID: **27341 CVE Name: CVE-2008-0366
CORE FORCE is the first community oriented security solution for personal computers that provides a comprehensive endpoint security solution for Windows 2000 and Windows XP systems.
CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSDβs PF firewall, granular file system and registry access control and programsβ integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messaging software, etc. The security framework provided by CORE FORCE is leveraged by a community of security experts that share their security configurations for a growing list of programs. These security profiles can be downloaded by any user of CORE FORCE from the community Web site and theyβre also completely open so that they can be peer-reviewed to minimize security hazards.
Locally exploitable kernel buffer overflow vulnerabilities and unproperly validated input arguments have been found in CORE FORCE Firewall and Registry modules. The vulnerabilities allow unprivileged logged on users to crash the system (denial of service), and they also may lead to a privilege escalation or even a local root exploit.
CORE FORCE 0.95.167 and below.
CORE FORCE 0.95.172.
This vulnerability was fixed in CORE FORCE version 0.95.172.
This vulnerability was discovered by Sebastian Gottschalk.
The firewall functionality of CORE FORCE is as a port of OpenBSDβs PF firewall implemented as an NDIS complaint kernel driver that mediates communications between the Network card and the TCP/IP stack of the operating system. Thus stateful, bi-directional firewalling rules can be enforced independently of the Windows OS firewall capabilities and at a deeper layer, closer to the wire. The kernel driver is accessible to a user mode application via IOCTL functions.
There are 4 IOCTL functions on the firewall driver module that use input received from userspace and do not validate the length of the input buffers properly. By calling any of these IOCTLs from with properly crafted arguments, an unprivileged user could trigger vulnerabilities in the driver and cause a denial of service or potentially to execute arbitrary code with elevated privileges.
Similarly other 7 SSDT hook handler functions on the driver that intercepts the Registry access on Windows are vulnerable to input validation errors.
All the vulnerabilities can be reproduced by running a combination of DC2 and BSODHook tools.
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at https://www.coresecurity.com/core-labs/
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The companyβs flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Core Security Technologies can be reached at https://www.coresecurity.com.
The contents of this advisory are copyright Β© 2008 CORE Security Technologies and Β© 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
This advisory has been signed with the GPG key of Core Security Technologies advisories team.