CVE-2005-0114
CVSS2.1
发布时间 :2005-02-11 00:00:00
修订时间 :2008-09-05 16:45:21
NMCOPS    

[原文]vsdatant.sys in Zone Lab ZoneAlarm before 5.5.062.011, ZoneAlarm Wireless before 5.5.080.000, Check Point Integrity Client 4.x before 4.5.122.000 and 5.x before 5.1.556.166 do not properly verify that the ServerPortName argument to the NtConnectPort function is a valid memory address, which allows local users to cause a denial of service (system crash) when ZoneAlarm attempts to dereference an invalid pointer.


[CNNVD]ZoneAlarm 5.1非法指针废弃本地拒绝服务漏洞(CNNVD-200502-047)

        ZoneAlarm是一款流行的桌面防火墙系统。
        Zone Lab ZoneAlarm 5.5.062.011以前版本,ZoneAlarm Wireless 5.5.080.000以前版本, Check Point Integrity Client 4.x 4.5.122.000以前版本 和5.x 5.1.556.166 以前版本不能正确的验证传递给 NtConnectPort 函数的ServerPortName参数 是一个有效的内存地址,这个会导致本地用户产生一个本地拒绝服务攻击漏洞。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:zonelabs:zonealarm:5.5.062.011Zone Labs ZoneAlarm 5.5.062.011
cpe:/a:checkpoint:check_point_integrity_client:5.1.556.166Zone Labs Check Point Integrity Client 5.1.556.166
cpe:/a:checkpoint:check_point_integrity_client:4.5.122.000Zone Labs Check Point Integrity Client 4.5.122.000
cpe:/a:zonelabs:zonealarm_wireless_security:5.5.080.000Zone Labs ZoneAlarm Wireless 5.5.080.000

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0114
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0114
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-047
(官方数据源) CNNVD

- 其它链接及资源

http://www.idefense.com/application/poi/display?id=199&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050211 ZoneAlarm 5.1 Invalid Pointer Dereference Vulnerability
http://download.zonelabs.com/bin/free/securityAlert/19.html
(VENDOR_ADVISORY)  CONFIRM  http://download.zonelabs.com/bin/free/securityAlert/19.html
http://www.securityfocus.com/bid/12531
(UNKNOWN)  BID  12531
http://secunia.com/advisories/14256
(UNKNOWN)  SECUNIA  14256

- 漏洞信息

ZoneAlarm 5.1非法指针废弃本地拒绝服务漏洞
低危 设计错误
2005-02-11 00:00:00 2005-10-20 00:00:00
本地  
        ZoneAlarm是一款流行的桌面防火墙系统。
        Zone Lab ZoneAlarm 5.5.062.011以前版本,ZoneAlarm Wireless 5.5.080.000以前版本, Check Point Integrity Client 4.x 4.5.122.000以前版本 和5.x 5.1.556.166 以前版本不能正确的验证传递给 NtConnectPort 函数的ServerPortName参数 是一个有效的内存地址,这个会导致本地用户产生一个本地拒绝服务攻击漏洞。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://download.zonelabs.com/bin/free/securityAlert/19.html

- 漏洞信息 (F36163)

iDEFENSE Security Advisory 2005-02-11.t (PacketStormID:F36163)
2005-02-24 00:00:00
iDefense Labs  idefense.com
advisory,denial of service,local
CVE-2005-0114
[点击下载]

iDEFENSE Security Advisory 02.11.05 - Local exploitation of an invalid pointer dereference vulnerability in Zone Labs LLC's ZoneAlarm personal firewall allows attackers to trigger a denial of service (DoS) condition.

ZoneAlarm 5.1 Invalid Pointer Dereference Vulnerability

iDEFENSE Security Advisory 02.11.05
www.idefense.com/application/poi/display?id=199&type=vulnerabilities
February 11, 2005

I. BACKGROUND

Zone Labs ZoneAlarm provides personal firewall protection. More
information is available from:

    http://www.zonelabs.com/

II. DESCRIPTION

Local exploitation of an invalid pointer dereference vulnerability in
Zone Labs LLC's ZoneAlarm personal firewall allows attackers to trigger
a denial of service (DoS) condition.

ZoneAlarm offers process specific protection by hooking the kernel API
routine NtConnectPort(). NtConnectPort() is used by programs to
implement advanced inter-process communication (IPC). The
NtConnectPort() function is declared as follows:

    NtConnectPort(
        OUT PHANDLE ClientPortHandle,
        IN PUNICODE_STRING ServerPortName,
        IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
        IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory OPTIONAL,
        OUT PLPC_SECTION_MEMORY ServerSharedMemory OPTIONAL,
        OUT PULONG MaximumMessageLength OPTIONAL,
        IN OUT PVOID ConnectionInfo OPTIONAL,
        IN OUT PULONG ConnectionInfoLength OPTIONAL);

The problem specifically exists within vsdatant.sys as ZoneAlarm fails
to verify the second argument. 'ServerPortName' is a valid address
prior to derefencing it as a pointer. The vulnerable section of code is
displayed here:

    0001EE93 mov esi, [esp+108h+ServerPortName]
    0001EE9A mov edi, eax
    0001EE9C test esi, esi
    0001EE9E jz short loc_1EEB6
    0001EEA0 mov edx, [esi+4]

The argument 'ServerPortName' is stored in the register ESI. A check is
made to ensure that the value is not NULL. If that check is passed, the
value is dereferenced as a pointer. Any non-zero invalid memory address
can be passed as the second argument to NtConnectPort(), resulting in a
system crash.

III. ANALYSIS

Exploitation allows local and remote attackers who have exploited
another vulnerability to trigger a DoS in kernel space, resulting in a
"blue screen of death."

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in ZoneAlarm
version 5.1. It is suspected that previous versions of ZoneAlarm are
vulnerable as well.

V. WORKAROUND

iDEFENSE is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

A vendor advisory for this issue is available at:

   http://download.zonelabs.com/bin/free/securityAlert/19.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0114 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

01/06/2005      Initial vendor notification
01/07/2005      Initial vendor response
02/11/2005      Coordinated public disclosure

IX. CREDIT

iDEFENSE Labs is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.

There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

13769
ZoneAlarm vsdatant.sys NtConnectPort() Hook Invalid Pointer Dereference Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Vendor Verified

- 漏洞描述

- 时间线

2005-02-11 2005-01-06
Unknow 2005-02-11

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Zone Labs has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Zone Labs ZoneAlarm Local Denial of Service Vulnerability
Design Error 12531
No Yes
2005-02-11 12:00:00 2009-07-12 10:06:00
Discovery is credited to iDEFENSE Labs.

- 受影响的程序版本

Zone Labs ZoneAlarm Security Suite 5.5 .062
Zone Labs ZoneAlarm Security Suite 5.5
Zone Labs ZoneAlarm Security Suite 5.1
Zone Labs ZoneAlarm Pro 5.5 .062
Zone Labs ZoneAlarm Pro 5.1
Zone Labs ZoneAlarm Pro 5.0.590 .015
Zone Labs ZoneAlarm Pro 4.5 .538.001
Zone Labs ZoneAlarm Pro 4.5
Zone Labs ZoneAlarm Pro 4.0
Zone Labs ZoneAlarm Pro 3.1
Zone Labs ZoneAlarm Pro 3.0
Zone Labs ZoneAlarm Pro 2.6
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Zone Labs ZoneAlarm Pro 2.4
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Zone Labs ZoneAlarm 5.1
Zone Labs ZoneAlarm 4.5 .538.001
Zone Labs ZoneAlarm 4.0
Zone Labs ZoneAlarm 3.7 .202
Zone Labs ZoneAlarm 3.1
Zone Labs ZoneAlarm 3.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Zone Labs ZoneAlarm 2.6
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Zone Labs ZoneAlarm 2.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Zone Labs ZoneAlarm 2.4
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Zone Labs ZoneAlarm 2.3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Zone Labs ZoneAlarm 2.2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Zone Labs ZoneAlarm 2.1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Check Point Software Integrity Client 5.0
Check Point Software Integrity Client 4.5
Zone Labs ZoneAlarm Security Suite 5.5 .062.011
Zone Labs ZoneAlarm Pro 5.5 .062.011
Zone Labs ZoneAlarm 5.5 .062.011
Check Point Software Integrity Client 5.1.556 .166
Check Point Software Integrity Client 4.4.122 .000

- 不受影响的程序版本

Zone Labs ZoneAlarm Security Suite 5.5 .062.011
Zone Labs ZoneAlarm Pro 5.5 .062.011
Zone Labs ZoneAlarm 5.5 .062.011
Check Point Software Integrity Client 5.1.556 .166
Check Point Software Integrity Client 4.4.122 .000

- 漏洞讨论

Multiple ZoneAlarm products and Check Point Integrity Client are reported prone to a local denial of service vulnerability. This issue exists due to an invalid pointer dereference.

A successful attack can result in a denial of service condition in the kernel.

ZoneAlarm Security Suite, ZoneAlarm Pro, and ZoneAlarm versions prior to 5.5.062.011 and Check Point Integrity Client versions prior to 4.5.122.000 and 5.1.556.166 are considered vulnerable to this issue.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

The vendor has released ZoneAlarm Security Suite, ZoneAlarm Pro, and ZoneAlarm version 5.5.062.011 to address this issue. Check Point Integrity Client versions 4.5.122.000 and 5.1.556.166 are available to fix this issue as well. Users may download updates automatically or manually from the vendor. Please see references for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站