Malformed IOCTL could crash system

[GoogleCodeExporter]

Crash-causing vulnerability reported via email by user Luka Milkovic
("Aelthegrin"):

/---------------------------------------
I discovered a local DoS vulnerability in PeerBlock/PeerGuardian driver on
Windows XP SP2 which leads to BSOD.
An attacker could send an IRP packet with IOCTL_PEERBLOCK_SETPORTS or
IOCTL_PEERBLOCK_SETRANGES control code using very large input buffer size
(and setting up the passed structures appropriately).

Functions SetPorts() and SetRanges() use this buffer size for allocating
NonPaged pool and for copying the input structures to the internal
structures. However, the value returned from the ExAllocatePoolWithTag()
function is not checked for NULL value. It's easy for an attacker to cause
an allocation failure (on systems prior to Vista), because the non-paged
pool is very limited in size (max 256 MB). When allocation fails, NULL
value is returned, and this value is used in RtlCopyMemory() function which
leads to BSOD.
\---------------------------------------

This is not too critical a vulnerability as it requires malicious code to
be executed locally on the machine in question, and can only cause the
machine to crash (can't load any malicious code into the kernel or
anything), so I don't think it's worth spinning a bugfix release of our
Stable Release for.  The fix will be in the next Beta Release however.

Original issue reported on code.google.com by peerbloc...@gmail.com on 21 Jan 2010 at 6:46

[GoogleCodeExporter]

This issue was closed by revision r262.

Original comment by peerbloc...@gmail.com on 21 Jan 2010 at 6:51

• Changed state: Fixed