{"id": "SECURITYVULNS:DOC:6628", "bulletinFamily": "software", "title": "[NGSEC-2004-6] IPD, local system denial of service.", "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n Next Generation Security Technologies\r\n http://www.ngsec.com\r\n Security Advisory\r\n\r\n\r\n Title: IPD, local system denial of service.\r\n ID: NGSEC-2004-6\r\n Application: IPD up to 1.4 (http://www.pedestalsoftware.com/)\r\n Date: 14/Aug/2004\r\n Status: Vendor contacted on 14/Aug/2004.\r\n Platform(s): Windows OSs.\r\n Author: Fermín J. Serna <fjserna@ngsec.com>\r\n Location: http://www.ngsec.com/docs/advisories/NGSEC-2004-6.txt\r\n\r\n\r\nOverview:\r\n- ---------\r\n\r\nThe IPD (Integrity protection driver) is an Open Source device driver\r\ndesigned to prohibit the installation of new services and drivers and\r\nto protect existing driver from tampering. It installs on Windows NT \r\nand Windows 2000 computers. \r\n\r\nIn its security approach IPD hooks some kernel mode funtions and filters\r\nthem allowing or not their original purposes based on IPD's security \r\npolicy.\r\n\r\nIPD suffers from an unvalidated pointer referencing in some of this kernel\r\nhooks. \r\n\r\n\r\nTechnical description:\r\n- ----------------------\r\n\r\nThe IPD (Integrity protection driver) is an Open Source device driver\r\ndesigned to prohibit the installation of new services and drivers and\r\nto protect existing driver from tampering. It installs on Windows NT \r\nand Windows 2000 computers. \r\n\r\nIPD is available for download at:\r\n\r\n http://www.pedestalsoftware.com/download/ipd.zip\r\n\r\nIn its security approach IPD hooks some kernel mode funtions and filters\r\nthem allowing or not their original purposes based on IPD's securit \r\npolicy.\r\n\r\nIPD suffers from some unvalidated pointer referencing in some of this kernel\r\nhooks. In example IPD hooks ZwOpenSection declared as follows:\r\n\r\n NTSTATUS ZwOpenSection(HANDLE Handle, DWORD mask, DWORD oa);\r\n\r\nThe problem exists because IPD does not properly check wether "oa" pointer\r\nis valid or not. Any local and unauthorized user can crash the system with\r\nsome simple coding skills.\r\n\r\nSample exploitation cand be found:\r\n\r\n http://www.ngsec.com/downloads/exploits/ipd-dos.c\r\n\r\n\r\nRecommendations:\r\n- ----------------\r\nSince the vendor has discontinued the development and support of IPD,\r\nNGSEC recomends to uninstall IPD or perform a deep source security audit\r\nbefore re-enabling it.\r\n\r\n\r\n- --\r\nMore security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/\r\nPGP Key: http://www.ngsec.com/pgp/labs.asc\r\n\r\nCopyright(c) 2002-2004 NGSEC. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.4 (GNU/Linux)\r\n\r\niD8DBQFBIeBaKrwoKcQl8Y4RAja+AJ9AAcQ+kbSlzihym+HNYA3Eje0oigCfSuKH\r\n8Y5J6HnjXR1bYOBbCL1Jn9A=\r\n=+YTS\r\n-----END PGP SIGNATURE-----\r\n", "published": "2004-08-19T00:00:00", "modified": "2004-08-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6628", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:10", "edition": 1, "viewCount": 6, "enchantments": {"score": {"value": 2.3, "vector": "NONE", "modified": "2018-08-31T11:10:10", "rev": 2}, "dependencies": {"references": [{"type": "nessus", "idList": ["EULEROS_SA-2020-1498.NASL", "EULEROS_SA-2020-1457.NASL", "EULEROS_SA-2020-1496.NASL", "EULEROS_SA-2020-1477.NASL", "EULEROS_SA-2020-1491.NASL", "EULEROS_SA-2020-1494.NASL", "EULEROS_SA-2020-1483.NASL", "EULEROS_SA-2020-1489.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201494", "OPENVAS:1361412562311220201431", "OPENVAS:1361412562311220201489", "OPENVAS:1361412562311220201457", "OPENVAS:1361412562311220201477", "OPENVAS:1361412562311220201400", "OPENVAS:1361412562311220201491", "OPENVAS:1361412562311220201476", "OPENVAS:1361412562311220201430", "OPENVAS:1361412562311220201473"]}], "modified": "2018-08-31T11:10:10", "rev": 2}, "vulnersScore": 2.3}, "affectedSoftware": []}

{"rst": [{"lastseen": "2021-03-02T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **http://121[.]63.72.90:55265/mozi.m** in [RST Threat Feed](https://rstcloud.net/profeed) with score **57**.\n First seen: 2021-02-22T03:00:00, Last seen: 2021-03-02T03:00:00.\n IOC tags: **malware**.\nIt was found that the IOC is used by: **mozi**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-22T00:00:00", "id": "RST:5BF62BA1-6628-3A9D-B5F1-1A7CAF8B5742", "href": "", "published": "2021-03-03T00:00:00", "title": "RST Threat feed. IOC: http://121.63.72.90:55265/mozi.m", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-01T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **59[.]97.168.147** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **19**.\n First seen: 2020-12-08T03:00:00, Last seen: 2021-03-01T03:00:00.\n IOC tags: **malware**.\nASN 9829: (First IP 59.97.168.0, Last IP 59.97.215.255).\nASN Name \"BSNLNIB\" and Organisation \"National Internet Backbone\".\nASN hosts 3363 domains.\nGEO IP information: City \"Kozhikode\", Country \"India\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-08T00:00:00", "id": "RST:DECDB3B9-6628-31BA-B44C-CB2719CE6546", "href": "", "published": "2021-03-02T00:00:00", "title": "RST Threat feed. IOC: 59.97.168.147", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-01T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **176[.]96.238.183** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **32**.\n First seen: 2021-02-04T03:00:00, Last seen: 2021-03-01T03:00:00.\n IOC tags: **malware**.\nASN 207319: (First IP 176.96.238.0, Last IP 176.96.238.255).\nASN Name \"MSKHOST\" and Organisation \"\".\nASN hosts 2592 domains.\nGEO IP information: City \"Ryazan\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-04T00:00:00", "id": "RST:BD04AB14-6628-3D85-80C7-68AE879E7FE1", "href": "", "published": "2021-03-02T00:00:00", "title": "RST Threat feed. IOC: 176.96.238.183", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **123[.]100.226.245** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **5**.\n First seen: 2020-07-01T03:00:00, Last seen: 2021-02-25T03:00:00.\n IOC tags: **shellprobe**.\nASN 136170: (First IP 123.100.226.0, Last IP 123.100.226.255).\nASN Name \"EXBCOIDASAP\" and Organisation \"PT EXABYTES NETWORK INDONESIA\".\nASN hosts 8060 domains.\nGEO IP information: City \"\", Country \"Malaysia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-07-01T00:00:00", "id": "RST:645DCBFA-6628-341C-BC5A-83498DDAAF0B", "href": "", "published": "2021-02-26T00:00:00", "title": "RST Threat feed. IOC: 123.100.226.245", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **iota[.]coinlab.biz** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-06-08T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-06-08T00:00:00", "id": "RST:D8A9EFF5-6628-3FEC-8291-D48BAE913CD5", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: iota.coinlab.biz", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **gws-dev[.]binance.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-01-17T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-17T00:00:00", "id": "RST:D0C2BD1E-6628-3D81-8754-B0EB0AEB2802", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: gws-dev.binance.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **79c02[.]cn.bitcoin.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nWhois:\n Created: 2008-01-04 14:15:06, \n Registrar: unknown, \n Registrant: NAMECHEAP INC.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:D5D990C4-6628-353B-9B90-CA0DA9919B35", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: 79c02.cn.bitcoin.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 fb.bitcoin.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **48**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nDomain has DNS A records: 194[.]14.246.72\nWhois:\n Created: 2008-01-04 14:15:06, \n Registrar: unknown, \n Registrant: NameCheap Inc.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:7AB690E9-6628-3CDC-8431-9FBA36009868", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 fb.bitcoin.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 nballoon.mine.eu.mine.zpool.ca** in [RST Threat Feed](https://rstcloud.net/profeed) with score **48**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nDomain has DNS A records: 52[.]1.161.122\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:5029CA4D-6628-3B9F-BEAC-05668620D729", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 nballoon.mine.eu.mine.zpool.ca", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **disk-10cm0[.]stream** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-02-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:E1B61B73-6628-39CE-AD12-72A3770A1CB6", "href": "", "published": "2021-02-15T00:00:00", "title": "RST Threat feed. IOC: disk-10cm0.stream", "type": "rst", "cvss": {}}]}