Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                          ESB-2008.0080 -- [Win]
                     CORE FORCE Kernel Buffer Overflow
                              23 January 2008


        AusCERT Security Bulletin Summary

Product:              Core Force
Publisher:            Core Security TechnologiesCore Security
Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
                      Increased Privileges
                      Denial of Service
Access:               Existing Account
CVE Names:            CVE-2008-0365 CVE-2008-0366

Original Bulletin:    http://www.coresecurity.com/?action=item&id=2025

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

~    Core Security Technologies - CoreLabs Advisory
~         http://www.coresecurity.com/corelabs

~          CORE FORCE Kernel Buffer Overflow

*Advisory Information*

Title: CORE FORCE Kernel Buffer Overflow
Advisory ID: CORE-2007-1119
Advisory URL: http://www.coresecurity.com/?action=item&id=2025
Date published: 2008-01-17
Date of last update: 2008-01-17
Release mode: Coordinated release

*Vulnerability Information*

Class: Input validation error (Buffer Overflow)
Remotely Exploitable: No
Locally Exploitable: Yes
Bugtraq ID: None currently assigned
CVE Name: None currently assigned

*Vulnerability Description*

CORE FORCE is the first community oriented security solution for personal
computers that  provides a comprehensive endpoint security solution for
Windows 2000 and Windows XP systems.

CORE FORCE provides inbound and outbound stateful packet filtering for
TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular
file system and registry access control and programs' integrity
validation. These capabilities can be configured and enforced system-wide
or on a per-application basis for specific programs such as email
readers, Web browsers, media players, messaging software, etc. The
security framework provided by CORE FORCE is leveraged by a community of
security experts that share their security configurations for a growing
list of programs. These security profiles can be downloaded by any user
of CORE FORCE from the community Web site and they're also completely
open so that they can be peer-reviewed to minimize security hazards.

Locally exploitable kernel buffer overflow vulnerabilities and unproperly
validated input arguments have been found in CORE FORCE Firewall and
Registry modules. The vulnerabilities allow unprivileged logged on users
to crash the system (denial of service), and they also may lead to a
privilege escalation or even a local root exploit.

*Vulnerable packages*
- - - CORE FORCE 0.95.167 and below.

*Non-vulnerable packages*
- - - CORE FORCE 0.95.172.

*Vendor Information, Solutions and Workarounds*

This vulnerability was fixed in CORE FORCE version 0.95.172 which is
available at: http://force.coresecurity.com/


This vulnerability was discovered by Sebastian Gottschalk.

*Technical Description / Proof of Concept Code*

The firewall functionality of CORE FORCE is as a port of OpenBSD's PF
firewall implemented as an NDIS complaint kernel driver that mediates
communications between the Network card and the TCP/IP stack of the
operating system. Thus stateful, bi-directional firewalling rules can be
enforced independently of the Windows OS firewall capabilities and at a
deeper layer, closer to the wire. The kernel driver is accessible to a
user mode application via IOCTL functions.

There are 4 IOCTL functions on the firewall driver module that use input
received from userspace and do not validate the length of the input
buffers properly. By calling any of these IOCTLs from with properly
crafted arguments, an unprivileged user could trigger vulnerabilities in
the driver and cause a denial of service or potentially to execute
arbitrary code with elevated privileges.

Similarly other 7 SSDT hook handler functions on the driver that
intercepts the Registry access on Windows are vulnerable to input
validation errors.

All the vulnerabilities can be reproduced by running a combination of
DC2 and BSODHook tools.

Step by step instructions:

- - - Get DC2.exe (Driver Path Verifier) from the latest Windows Driver Kit.
- - - Login as unprivileged user.
- - - Run "dc2 /hct /a".
- - - Get BSODHook.exe from Matousec [3].
- - - Click on "Load Driver" then click on "Find SSDT hooks" then "Add to
probe list" and then "GO".

*Report Timeline*

2007-11-04: Initial notification by independent researcher Sebastian
2007-11-05: Email acknowledging reception of the bug reports and
indicating that looking into the report would probably take Core more
than a week. Core requested details to reproduce a second type of bug
related to hooking of the SSDT.
2007-11-05: Email from Sebastian Gottschalk indicating that the BSODhook
from Matousec [3] could be used to reproduce the SSDT hooking problems.
2007-11-19: A fix is produced by the Core Force team. Core asks the
researcher whether he wants to be credited for the discovery in the advisory.
2007-11-22: Sebastian Gottschalk accepts to be credited.
2007-11-28: Email sent to Sebastian Gottschalk indicating the Core found
a bug in the fix and will have to delay publication of a fixed version of
Core Force.
2007-11-29: New fix committed by the Core Force team.
2007-12-17: Other functions were also found vulnerable in the Registry
2008-01-07: New fix committed by the Core Force team.
2008-01-17: CORE-2007-1119 advisory is published.


[1] CORE FORCE: http://force.coresecurity.com/
[2] Driver testing: http://blogs.msdn.com/ravig/default.aspx

*About Corelabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at

*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. IMPACT evaluates network, endpoint
and end-user vulnerabilities and identifies what resources are exposed.
It enables organizations to determine if current security investments are
detecting and preventing attacks. Core augments its leading technology
solution with world-class security consulting services, including
penetration testing and software security auditing. Based in Boston, MA
and Buenos Aires, Argentina, Core Security Technologies can be reached at
617-399-6980 or on the Web at  http://www.coresecurity.com.


The contents of this advisory are copyright (c) 2008 CORE Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at

Version: GnuPG v1.4.7 (MingW32)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967