var-200808-0147
Vulnerability from variot
The kmxfw.sys driver in CA Host-Based Intrusion Prevention System (HIPS) r8, as used in CA Internet Security Suite and Personal Firewall, does not properly verify IOCTL requests, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted request. Computer Associates products are prone to two vulnerabilities. Attackers may exploit the first vulnerability locally to execute arbitrary code with SYSTEM-level privileges or cause a system crash. Attackers may exploit the second vulnerability remotely to cause denial-of-service conditions. Successful attacks will completely compromise the computer or cause denial-of-service conditions. CA Host-Based Intrusion Prevention System (HIPS) is CA's host intrusion prevention system software. There is a vulnerability in the kmxfw.sys driver in CA HIPS r8.
No special user rights are necessary to exploit the vulnerability.
====================== Technical description: ======================
The IOCTL call 0x85000030 of the KmxFw.sys kernel driver shipped with various CA products accepts user supplied input that doesn't get validated enough. In consequence it is possible to pass arbitrary parameter values to some windows kernel functions (e.g. ExFreePoolWithTag). If these parameters are carefully crafted it is possible to force the windows kernel into performing a memory corruption that leads to full control of the kernel execution flow.
Disassembly of KmxFw.sys (version 6.5.5.5):
[...]
.text:00019800 mov eax, [esp+IOCTLControlCode] <-- (1)
.text:00019804 sub esp, 2Ch
.text:00019807 push ebx
.text:00019808 push esi
.text:00019809 push edi
.text:0001980A add eax, 7AFFFFFCh
.text:0001980F xor edi, edi
.text:00019811 xor ebx, ebx
.text:00019813 cmp eax, 4Ch ; switch 77 cases
.text:00019816 ja loc_19943 ; default
[...]
.text:0001981C movzx eax, ds:byte_19BA0[eax] <-- (2)
.text:00019823 jmp ds:off_19B6C[eax*4] ; switch jump
[...]
.text:000199E1 loc_199E1:
.text:000199E1 cmp [esp+38h+InputBufferSize], 10h <-- (3)
.text:000199E6 jb loc_19943 ; default
[...]
.text:000199EC mov eax, [esp+38h+InputBuffer] <-- (4)
.text:000199F0 mov ecx, [eax+8] <-- (5)
.text:000199F3 mov edx, [eax] <-- (6)
.text:000199F5 push ecx ; BaseAddress <-- (7)
.text:000199F6 push edx ; Mdl <-- (8)
.text:000199F7 mov ecx, offset off_28600
.text:000199FC call sub_12B70 <-- (9)
[...]
(1) IOCTL control code is copied into EAX (2) IOCTL control code switch cases (3) Switch case of the vulnerable IOCTL control code 0x85000030. There's also a minor check of the IOCTL input buffer size (must be greater than 0x10). (4) Pointer to user controlled data is copied into EAX (5) Part of the user controlled data is copied into ECX (6) Part of the user controlled data is copied into EDX (7) + (8) The user controlled values of ECX and EDX are used as parameters for the following function (sub_12B70) that gets called (9) The function sub_12B70 gets called
[...]
.text:00012B70 sub_12B70 proc near
.text:00012B70 Mdl_uc = dword ptr 4
.text:00012B70 BaseAddress_uc = dword ptr 8
.text:00012B70
.text:00012B70 push esi
.text:00012B71 mov esi, [esp+4+Mdl_uc] <-- (10)
.text:00012B75 test esi, esi
.text:00012B77 jz short loc_12B90
.text:00012B79 mov eax, [esp+4+BaseAddress_uc] <-- (11)
.text:00012B7D test eax, eax
.text:00012B7F jz short loc_12B89
.text:00012B81 push esi ; MemoryDescriptorList <-- (12)
.text:00012B82 push eax ; BaseAddress <-- (13)
.text:00012B83 call ds:MmUnmapLockedPages <-- (14)
.text:00012B89
.text:00012B89 loc_12B89:
.text:00012B89 push esi ; Mdl <-- (15)
.text:00012B8A call ds:IoFreeMdl <-- (16)
[...]
(10) User controlled data gets copied into ESI
(11) User controlled data gets copied into EAX
(12) + (13) The user controlled values of ESI and EAX are used as
parameters for the windows kernel function MmUnmapLockedPages
(14) The windows kernel function MmUnmapLockedPages gets called
(15) The user controlled value in ESI is used as a parameter for the
windows kernel function IoFreeMdl
(16) The windows kernel function IoFreeMdl gets called
In the IoFreeMdl function of the windows kernel the ExFreePoolWithTag function gets called with user controlled parameters.
Example of the IoFreeMdl function of the Windows 2000 Professional SP4 kernel:
[...]
.text:0041E700 ; void __stdcall IoFreeMdl(PMDL Mdl)
.text:0041E700 public IoFreeMdl
.text:0041E700 IoFreeMdl proc near
.text:0041E700
.text:0041E700 P = dword ptr 4
.text:0041E700
.text:0041E700 push esi
.text:0041E701 mov esi, [esp+4+P] <-- (17)
.text:0041E705 test byte ptr [esi+6], 20h
.text:0041E709 jz short loc_41E714
[...]
.text:0041E714 loc_41E714:
.text:0041E714 mov ax, [esi+6]
.text:0041E718 test al, 8
.text:0041E71A jz short loc_41E72B
[...]
.text:0041E72B
.text:0041E72B loc_41E72B:
.text:0041E72B push esi ; P <-- (18)
.text:0041E72C call ExFreePool <-- (19)
[...]
(17) The user controlled data gets copied into ESI (18) + (19) ESI is used as a parameter for the ExFreePool kernel function that calls ExFreePoolWithTag
If the user supplied parameter for ExFreePoolWithTag is carefully crafted it is possible to overwrite an arbitrary memory location with an arbitrary dword value (write4 primitive). This can be exploited to control the kernel execution flow and to execute arbitrary code at the kernel level.
========= Solution: =========
See vendor recommendations described under [1].
======== History: ========
2008/03/06 - Vendor notified using vuln@ca.com 2008/03/06 - Vendor response with PGP key 2008/03/08 - Detailed vulnerability information sent to the vendor 2008/03/08 - Vendor acknowledges receipt of the information 2008/08/12 - Coordinated disclosure
======== Credits: ========
Vulnerability found and advisory written by Tobias Klein.
=========== References: ===========
[1] http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36559 [2] http://www.trapkit.de/advisories/TKADV2008-006.txt
======== Changes: ========
Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release
=========== Disclaimer: ===========
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.
================== PGP Signature Key: ==================
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc
Copyright 2008 Tobias Klein.
2) An unspecified error in the kmxfw.sys driver can be exploited to cause a DoS.
PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Tobias Klein 2) Elazar Broad
ORIGINAL ADVISORY: CA: http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36559 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36560
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Title: CA Host-Based Intrusion Prevention System SDK kmxfw.sys Multiple Vulnerabilities
CA Advisory Date: 2008-08-11
Reported By: CVE-2008-2926 - Tobias Klein CVE-2008-3174 - Elazar Broad
Impact: A remote attacker can cause a denial of service or possibly execute arbitrary code. CA has issued updates to address the vulnerabilities. The first vulnerability, CVE-2008-2926, occurs due to insufficient verification of IOCTL requests by the kmxfw.sys driver. The second vulnerability, CVE-2008-3174, occurs due to insufficient validation by the kmxfw.sys driver. An attacker can make a request that can cause a system crash.
Mitigating Factors: None
Severity: CA has given these vulnerabilities a Medium risk rating. CA Personal Firewall Engine 1.2.276 and later are not affected. To ensure that the latest automatic update is installed on your computer, customers can view the Help>About screen in their CA Personal Firewall product and confirm that the engine version number is 1.2.276 or higher. For support information, visit http://shop.ca.com/support.
How to determine if you are affected: 1. Using Windows Explorer, locate the file "kmxfw.sys". By default, the file is located in the "C:\Windows\system32\drivers\" directory. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file version is less than indicated in the below table, the installation is vulnerable.
For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your findings to our product security response team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved.
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003)
wj4DBQFIoduueSWR3+KUGYURAmmKAJ9FWl5gIZrbrGhg5CZ0NKzw0QE8qQCY+Qys ekQdlRjiIYnyp9WEqqGAxQ== =ltU4 -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200808-0147",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "host based intrusion prevention system",
"scope": "eq",
"trust": 1.6,
"vendor": "ca",
"version": "r8"
},
{
"model": "internet security suite 2008",
"scope": "eq",
"trust": 1.0,
"vendor": "ca",
"version": "*"
},
{
"model": "internet security suite",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "3.0"
},
{
"model": "personal firewall 2008",
"scope": "eq",
"trust": 1.0,
"vendor": "ca",
"version": "*"
},
{
"model": "personal firewall 2007",
"scope": "eq",
"trust": 1.0,
"vendor": "ca",
"version": "*"
},
{
"model": "host-based intrusion prevention system",
"scope": "eq",
"trust": 0.8,
"vendor": "ca",
"version": "r8"
},
{
"model": "internet security suite",
"scope": "eq",
"trust": 0.8,
"vendor": "ca",
"version": "2007"
},
{
"model": "internet security suite",
"scope": "eq",
"trust": 0.8,
"vendor": "ca",
"version": "2008"
},
{
"model": "personal firewall",
"scope": "eq",
"trust": 0.8,
"vendor": "ca",
"version": "2007"
},
{
"model": "personal firewall",
"scope": "eq",
"trust": 0.8,
"vendor": "ca",
"version": "2008"
},
{
"model": "personal firewall 2007",
"scope": null,
"trust": 0.6,
"vendor": "ca",
"version": null
},
{
"model": "internet security suite",
"scope": "eq",
"trust": 0.6,
"vendor": "ca",
"version": "3.0"
},
{
"model": "personal firewall 2008",
"scope": null,
"trust": 0.6,
"vendor": "ca",
"version": null
},
{
"model": "internet security suite 2008",
"scope": null,
"trust": 0.6,
"vendor": "ca",
"version": null
},
{
"model": "associates personal firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "computer",
"version": "2008"
},
{
"model": "associates personal firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "computer",
"version": "2007"
},
{
"model": "associates internet security suite",
"scope": "eq",
"trust": 0.3,
"vendor": "computer",
"version": "20080"
},
{
"model": "associates internet security suite",
"scope": "eq",
"trust": 0.3,
"vendor": "computer",
"version": "20070"
},
{
"model": "associates host-based intrusion prevention system r8",
"scope": null,
"trust": 0.3,
"vendor": "computer",
"version": null
},
{
"model": "associates personal firewall engine",
"scope": "ne",
"trust": 0.3,
"vendor": "computer",
"version": "1.2.276"
}
],
"sources": [
{
"db": "BID",
"id": "30651"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-002498"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-164"
},
{
"db": "NVD",
"id": "CVE-2008-2926"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:ca:host-based_intrusion_prevention_system",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:ca:internet_security_suite",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:ca:personal_firewall",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-002498"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Tobias Klein, Elazar Broad",
"sources": [
{
"db": "BID",
"id": "30651"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-164"
}
],
"trust": 0.9
},
"cve": "CVE-2008-2926",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CVE-2008-2926",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "VHN-33051",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2008-2926",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2008-2926",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200808-164",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-33051",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-33051"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-002498"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-164"
},
{
"db": "NVD",
"id": "CVE-2008-2926"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The kmxfw.sys driver in CA Host-Based Intrusion Prevention System (HIPS) r8, as used in CA Internet Security Suite and Personal Firewall, does not properly verify IOCTL requests, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted request. Computer Associates products are prone to two vulnerabilities. \nAttackers may exploit the first vulnerability locally to execute arbitrary code with SYSTEM-level privileges or cause a system crash. Attackers may exploit the second vulnerability remotely to cause denial-of-service conditions. \nSuccessful attacks will completely compromise the computer or cause denial-of-service conditions. CA Host-Based Intrusion Prevention System (HIPS) is CA\u0027s host intrusion prevention system software. There is a vulnerability in the kmxfw.sys driver in CA HIPS r8. \n\nNo special user rights are necessary to exploit the vulnerability. \n\n\n======================\nTechnical description:\n======================\n\nThe IOCTL call 0x85000030 of the KmxFw.sys kernel driver shipped with\nvarious CA products accepts user supplied input that doesn\u0027t get validated \nenough. In consequence it is possible to pass arbitrary parameter values \nto some windows kernel functions (e.g. ExFreePoolWithTag). If these \nparameters are carefully crafted it is possible to force the windows kernel\ninto performing a memory corruption that leads to full control of the \nkernel execution flow. \n\nDisassembly of KmxFw.sys (version 6.5.5.5):\n\n[...]\n.text:00019800 mov eax, [esp+IOCTLControlCode] \u003c-- (1)\n.text:00019804 sub esp, 2Ch\n.text:00019807 push ebx\n.text:00019808 push esi\n.text:00019809 push edi\n.text:0001980A add eax, 7AFFFFFCh\n.text:0001980F xor edi, edi\n.text:00019811 xor ebx, ebx\n.text:00019813 cmp eax, 4Ch ; switch 77 cases\n.text:00019816 ja loc_19943 ; default\n[...]\n.text:0001981C movzx eax, ds:byte_19BA0[eax] \u003c-- (2)\n.text:00019823 jmp ds:off_19B6C[eax*4] ; switch jump\n[...]\n.text:000199E1 loc_199E1: \n.text:000199E1 cmp [esp+38h+InputBufferSize], 10h \u003c-- (3)\n.text:000199E6 jb loc_19943 ; default\n[...]\n.text:000199EC mov eax, [esp+38h+InputBuffer] \u003c-- (4)\n.text:000199F0 mov ecx, [eax+8] \u003c-- (5)\n.text:000199F3 mov edx, [eax] \u003c-- (6)\n.text:000199F5 push ecx ; BaseAddress \u003c-- (7) \n.text:000199F6 push edx ; Mdl \u003c-- (8)\n.text:000199F7 mov ecx, offset off_28600\n.text:000199FC call sub_12B70 \u003c-- (9)\n[...]\n\n(1) IOCTL control code is copied into EAX\n(2) IOCTL control code switch cases\n(3) Switch case of the vulnerable IOCTL control code 0x85000030. There\u0027s\n also a minor check of the IOCTL input buffer size (must be greater than\n 0x10). \n(4) Pointer to user controlled data is copied into EAX\n(5) Part of the user controlled data is copied into ECX\n(6) Part of the user controlled data is copied into EDX\n(7) + (8) The user controlled values of ECX and EDX are used as parameters \n for the following function (sub_12B70) that gets called\n(9) The function sub_12B70 gets called\n\n[...]\n.text:00012B70 sub_12B70 proc near \n.text:00012B70 Mdl_uc = dword ptr 4\n.text:00012B70 BaseAddress_uc = dword ptr 8\n.text:00012B70\n.text:00012B70 push esi\n.text:00012B71 mov esi, [esp+4+Mdl_uc] \u003c-- (10)\n.text:00012B75 test esi, esi\n.text:00012B77 jz short loc_12B90\n.text:00012B79 mov eax, [esp+4+BaseAddress_uc] \u003c-- (11)\n.text:00012B7D test eax, eax\n.text:00012B7F jz short loc_12B89\n.text:00012B81 push esi ; MemoryDescriptorList \u003c-- (12)\n.text:00012B82 push eax ; BaseAddress \u003c-- (13)\n.text:00012B83 call ds:MmUnmapLockedPages \u003c-- (14)\n.text:00012B89\n.text:00012B89 loc_12B89: \n.text:00012B89 push esi ; Mdl \u003c-- (15)\n.text:00012B8A call ds:IoFreeMdl \u003c-- (16)\n[...]\n\n(10) User controlled data gets copied into ESI\n(11) User controlled data gets copied into EAX\n(12) + (13) The user controlled values of ESI and EAX are used as \n parameters for the windows kernel function MmUnmapLockedPages\n(14) The windows kernel function MmUnmapLockedPages gets called\n(15) The user controlled value in ESI is used as a parameter for the \n windows kernel function IoFreeMdl\n(16) The windows kernel function IoFreeMdl gets called\n\nIn the IoFreeMdl function of the windows kernel the ExFreePoolWithTag \nfunction gets called with user controlled parameters. \n \nExample of the IoFreeMdl function of the Windows 2000 Professional SP4 \nkernel:\n \n[...]\n.text:0041E700 ; void __stdcall IoFreeMdl(PMDL Mdl)\n.text:0041E700 public IoFreeMdl\n.text:0041E700 IoFreeMdl proc near \n.text:0041E700\n.text:0041E700 P = dword ptr 4\n.text:0041E700\n.text:0041E700 push esi\n.text:0041E701 mov esi, [esp+4+P] \u003c-- (17)\n.text:0041E705 test byte ptr [esi+6], 20h\n.text:0041E709 jz short loc_41E714\n[...]\n.text:0041E714 loc_41E714: \n.text:0041E714 mov ax, [esi+6]\n.text:0041E718 test al, 8\n.text:0041E71A jz short loc_41E72B\n[...]\n.text:0041E72B\n.text:0041E72B loc_41E72B:\n.text:0041E72B push esi ; P \u003c-- (18)\n.text:0041E72C call ExFreePool \u003c-- (19)\n[...]\n\n(17) The user controlled data gets copied into ESI\n(18) + (19) ESI is used as a parameter for the ExFreePool kernel function \n that calls ExFreePoolWithTag\n\nIf the user supplied parameter for ExFreePoolWithTag is carefully crafted \nit is possible to overwrite an arbitrary memory location with an arbitrary \ndword value (write4 primitive). This can be exploited to control the kernel\nexecution flow and to execute arbitrary code at the kernel level. \n\n\n=========\nSolution:\n=========\n\n See vendor recommendations described under [1]. \n\n\n========\nHistory:\n========\n\n 2008/03/06 - Vendor notified using vuln@ca.com\n 2008/03/06 - Vendor response with PGP key\n 2008/03/08 - Detailed vulnerability information sent to the vendor \n 2008/03/08 - Vendor acknowledges receipt of the information\n 2008/08/12 - Coordinated disclosure\n\n\n========\nCredits:\n========\n\n Vulnerability found and advisory written by Tobias Klein. \n\n\n===========\nReferences:\n===========\n\n [1] http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36559\n [2] http://www.trapkit.de/advisories/TKADV2008-006.txt\n\n\n========\nChanges:\n========\n\n Revision 0.1 - Initial draft release to the vendor\n Revision 1.0 - Public release\n\n\n===========\nDisclaimer:\n===========\n\nThe information within this advisory may change without notice. Use\nof this information constitutes acceptance for use in an AS IS\ncondition. There are no warranties, implied or express, with regard\nto this information. In no event shall the author be liable for any\ndirect or indirect damages whatsoever arising out of or in connection\nwith the use or spread of this information. \n\n\n==================\nPGP Signature Key:\n==================\n\n http://www.trapkit.de/advisories/tk-advisories-signature-key.asc\n\n\nCopyright 2008 Tobias Klein. \n\n2) An unspecified error in the kmxfw.sys driver can be exploited to\ncause a DoS. \n\nPROVIDED AND/OR DISCOVERED BY:\nThe vendor credits:\n1) Tobias Klein\n2) Elazar Broad\n\nORIGINAL ADVISORY:\nCA:\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36559\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36560\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nTitle: CA Host-Based Intrusion Prevention System SDK kmxfw.sys \nMultiple Vulnerabilities\n\n\nCA Advisory Date: 2008-08-11\n\n\nReported By:\nCVE-2008-2926 - Tobias Klein\nCVE-2008-3174 - Elazar Broad\n\n\nImpact: A remote attacker can cause a denial of service or \npossibly execute arbitrary code. CA has issued \nupdates to address the vulnerabilities. The first vulnerability, \nCVE-2008-2926, occurs due to insufficient verification of IOCTL \nrequests by the kmxfw.sys driver. The second vulnerability, \nCVE-2008-3174, occurs due to insufficient validation by the \nkmxfw.sys driver. An attacker can make a request that can cause a \nsystem crash. \n\n\nMitigating Factors: None\n\n\nSeverity: CA has given these vulnerabilities a Medium risk rating. CA Personal Firewall Engine 1.2.276 and later are not \naffected. To ensure that the latest automatic update is installed \non your computer, customers can view the Help\u003eAbout screen in \ntheir CA Personal Firewall product and confirm that the engine \nversion number is 1.2.276 or higher. For support information, \nvisit http://shop.ca.com/support. \n\n\nHow to determine if you are affected:\n1. Using Windows Explorer, locate the file \"kmxfw.sys\". By default, \n the file is located in the \"C:\\Windows\\system32\\drivers\\\" directory. \n2. Right click on the file and select Properties. \n3. Select the General tab. \n4. If the file version is less than indicated in the below table, \n the installation is vulnerable. \n\nFor technical questions or comments related to this advisory, \nplease send email to vuln AT ca DOT com. \n\nIf you discover a vulnerability in CA products, please report your \nfindings to our product security response team. \nhttps://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782\n\n\nRegards,\nKen Williams ; 0xE2941985\nDirector, CA Vulnerability Research\n\n\nCA, 1 CA Plaza, Islandia, NY 11749\n\t\nContact http://www.ca.com/us/contact/\nLegal Notice http://www.ca.com/us/legal/\nPrivacy Policy http://www.ca.com/us/privacy/\nCopyright (c) 2008 CA. All rights reserved. \n\n-----BEGIN PGP SIGNATURE-----\nVersion: PGP Desktop 9.5.3 (Build 5003)\n\nwj4DBQFIoduueSWR3+KUGYURAmmKAJ9FWl5gIZrbrGhg5CZ0NKzw0QE8qQCY+Qys\nekQdlRjiIYnyp9WEqqGAxQ==\n=ltU4\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-2926"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-002498"
},
{
"db": "BID",
"id": "30651"
},
{
"db": "VULHUB",
"id": "VHN-33051"
},
{
"db": "PACKETSTORM",
"id": "69035"
},
{
"db": "PACKETSTORM",
"id": "68975"
},
{
"db": "PACKETSTORM",
"id": "69034"
}
],
"trust": 2.25
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-33051",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-33051"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2008-2926",
"trust": 3.0
},
{
"db": "BID",
"id": "30651",
"trust": 2.8
},
{
"db": "SECUNIA",
"id": "31434",
"trust": 2.6
},
{
"db": "SECTRACK",
"id": "1020659",
"trust": 2.5
},
{
"db": "SECTRACK",
"id": "1020658",
"trust": 2.5
},
{
"db": "SECTRACK",
"id": "1020660",
"trust": 2.5
},
{
"db": "VUPEN",
"id": "ADV-2008-2339",
"trust": 2.5
},
{
"db": "XF",
"id": "44392",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2008-002498",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200808-164",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "69034",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "69035",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-33051",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "68975",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-33051"
},
{
"db": "BID",
"id": "30651"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-002498"
},
{
"db": "PACKETSTORM",
"id": "69035"
},
{
"db": "PACKETSTORM",
"id": "68975"
},
{
"db": "PACKETSTORM",
"id": "69034"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-164"
},
{
"db": "NVD",
"id": "CVE-2008-2926"
}
]
},
"id": "VAR-200808-0147",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-33051"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T22:03:32.714000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "36559",
"trust": 0.8,
"url": "http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36559"
},
{
"title": "36559",
"trust": 0.8,
"url": "http://www.ca.com/jp/securityadvisor/vulninfo/Vuln.aspx?id=36559"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-002498"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-33051"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-002498"
},
{
"db": "NVD",
"id": "CVE-2008-2926"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/30651"
},
{
"trust": 2.5,
"url": "http://www.securitytracker.com/id?1020658"
},
{
"trust": 2.5,
"url": "http://www.securitytracker.com/id?1020659"
},
{
"trust": 2.5,
"url": "http://www.securitytracker.com/id?1020660"
},
{
"trust": 2.5,
"url": "http://secunia.com/advisories/31434"
},
{
"trust": 2.5,
"url": "http://www.vupen.com/english/advisories/2008/2339"
},
{
"trust": 2.2,
"url": "http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36559"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/archive/1/495397/100/0/threaded"
},
{
"trust": 1.7,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44392"
},
{
"trust": 0.9,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2926"
},
{
"trust": 0.8,
"url": "http://xforce.iss.net/xforce/xfdb/44392"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-2926"
},
{
"trust": 0.4,
"url": "http://www.trapkit.de/advisories/tkadv2008-006.txt"
},
{
"trust": 0.4,
"url": "http://www.ca.com"
},
{
"trust": 0.4,
"url": "http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36560"
},
{
"trust": 0.3,
"url": "/archive/1/495427"
},
{
"trust": 0.3,
"url": "/archive/1/495397"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-2926"
},
{
"trust": 0.1,
"url": "http://www.trapkit.de/advisories/tk-advisories-signature-key.asc"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/18834/"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/31434/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/12660/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/16198/"
},
{
"trust": 0.1,
"url": "http://secunia.com/hardcore_disassembler_and_reverse_engineer/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/19549/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_specialist/"
},
{
"trust": 0.1,
"url": "http://corporate.secunia.com/about_secunia/64/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/14434/"
},
{
"trust": 0.1,
"url": "https://support.ca.com/irj/portal/anonymous/solutionresults?aparno=ro00535\u0026actionid=4"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-3174"
},
{
"trust": 0.1,
"url": "http://www.ca.com/us/privacy/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-3174"
},
{
"trust": 0.1,
"url": "http://www.trapkit.de/"
},
{
"trust": 0.1,
"url": "http://support.ca.com/"
},
{
"trust": 0.1,
"url": "http://osvdb.org/"
},
{
"trust": 0.1,
"url": "http://shop.ca.com/support."
},
{
"trust": 0.1,
"url": "https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentid=177782"
},
{
"trust": 0.1,
"url": "http://www.ca.com/us/contact/"
},
{
"trust": 0.1,
"url": "http://www.ca.com/us/legal/"
},
{
"trust": 0.1,
"url": "https://support.ca.com/irj/portal/anonymous/redirarticles?reqpage=search\u0026se"
},
{
"trust": 0.1,
"url": "http://support.ca.com."
},
{
"trust": 0.1,
"url": "https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentid=182496"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-33051"
},
{
"db": "BID",
"id": "30651"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-002498"
},
{
"db": "PACKETSTORM",
"id": "69035"
},
{
"db": "PACKETSTORM",
"id": "68975"
},
{
"db": "PACKETSTORM",
"id": "69034"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-164"
},
{
"db": "NVD",
"id": "CVE-2008-2926"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-33051"
},
{
"db": "BID",
"id": "30651"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-002498"
},
{
"db": "PACKETSTORM",
"id": "69035"
},
{
"db": "PACKETSTORM",
"id": "68975"
},
{
"db": "PACKETSTORM",
"id": "69034"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-164"
},
{
"db": "NVD",
"id": "CVE-2008-2926"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-08-12T00:00:00",
"db": "VULHUB",
"id": "VHN-33051"
},
{
"date": "2008-08-11T00:00:00",
"db": "BID",
"id": "30651"
},
{
"date": "2010-12-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-002498"
},
{
"date": "2008-08-13T05:43:58",
"db": "PACKETSTORM",
"id": "69035"
},
{
"date": "2008-08-13T01:46:19",
"db": "PACKETSTORM",
"id": "68975"
},
{
"date": "2008-08-13T05:41:53",
"db": "PACKETSTORM",
"id": "69034"
},
{
"date": "2008-08-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200808-164"
},
{
"date": "2008-08-12T23:41:00",
"db": "NVD",
"id": "CVE-2008-2926"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-11T00:00:00",
"db": "VULHUB",
"id": "VHN-33051"
},
{
"date": "2008-08-25T22:25:00",
"db": "BID",
"id": "30651"
},
{
"date": "2010-12-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-002498"
},
{
"date": "2021-04-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200808-164"
},
{
"date": "2024-11-21T00:48:01.770000",
"db": "NVD",
"id": "CVE-2008-2926"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "PACKETSTORM",
"id": "69035"
},
{
"db": "PACKETSTORM",
"id": "68975"
},
{
"db": "PACKETSTORM",
"id": "69034"
},
{
"db": "CNNVD",
"id": "CNNVD-200808-164"
}
],
"trust": 0.9
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "CA Host-Based Intrusion Prevention System of kmxfw.sys Driver vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-002498"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200808-164"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.