[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[NGSEC-2004-7] NtRegmon, local system denial of service.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [NGSEC-2004-7] NtRegmon, local system denial of service.
From: "labs@NGSEC" <labs@xxxxxxxxx>
Date: Wed, 25 Aug 2004 11:34:37 +0200 (CEST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                   Next Generation Security Technologies
                          http://www.ngsec.com
                            Security Advisory


       Title:   NtRegmon, local system denial of service.
          ID:   NGSEC-2004-7
 Application:   NtRegmon (http://www.sysinternals.com/ntw2k/source/regmon.shtml)
        Date:   14/Aug/2004
      Status:   Patched version available (6.12).
 Platform(s):   Windows OSs.
      Author:   Fermín J. Serna <fjserna@xxxxxxxxx>
    Location:   http://www.ngsec.com/docs/advisories/NGSEC-2004-7.txt


Overview:
- ---------

NtRegmon is a Registry monitoring utility that will show you which applications
are accessing your Registry, which keys they are accessing, and the Registry
data that they are reading and writing - all in real-time. 

For its task NtRegmon hooks some kernel mode funtions (Registry functions) for
its logging purposes.

Regmon suffer from an unvalidated pointer referencing in some of this kernel
hooks. 

While any privileged user is using NtRegmon, any local and unauthorized user 
can crash the system.


Technical description:
- ----------------------

NtRegmon is a Registry monitoring utility that will show you which applications
are accessing your Registry, which keys they are accessing, and the Registry
data that they are reading and writing - all in real-time.


For its task NtRegmon hooks some kernel mode funtions (Registry functions) for
its logging purposes.

Regmon suffers from some unvalidated pointer referencing in some of this kernel
hooks. In example NtRegmon hooks ZwSetQueryValue declared as follows:

  NTSTATUS ZwSetQueryValue(DWORD KeyHandle, DWORD ValueName, DWORD TitleIndex,
                           DWORD Type, DWORD Data, DWORD DataSize);

The problem exists because NtRegmon does not properly check if some argument
pointers are valid or not. While any privileged user is using Regmon, any local
and unauthorized user can crash the system.

Sample exploitation cand be found:

         http://www.ngsec.com/downloads/exploits/ntregmon-dos.c


Recommendations:
- ----------------
Upgrade to NtRegmon version 6.12.

- --
More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc

Copyright(c) 2002-2004 NGSEC. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBLFeCKrwoKcQl8Y4RAjxYAKCYw9QhDRCxnJSXd2HFt9Zp/pRgYwCfQynV
/bdl2s6PNLcuP6kXn5pRSlg=
=P5Yq
-----END PGP SIGNATURE-----

Prev by Date: Re: New google's top query?
Next by Date: RE: Running renamed executables with CMD.EXE
Previous by thread: Vulnerability: OpenBSD 3.5 Kernel Panic.
Next by thread: RealVNC 4.0 DoS
Index(es):
- Date
- Thread