INCA nProtect Gameguard Unprivileged Arbitrary Read/Write Access Vulnerability
BID:12280
Info
INCA nProtect Gameguard Unprivileged Arbitrary Read/Write Access Vulnerability
| Bugtraq ID: | 12280 |
| Class: | Design Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Jan 17 2005 12:00AM |
| Updated: | Jan 17 2005 12:00AM |
| Credit: | Discovery of this vulnerability is credited to "Ryu Connor" <[email protected]>. |
| Vulnerable: |
INCA nProtect Gameguard 0 |
| Not Vulnerable: | |
Discussion
INCA nProtect Gameguard Unprivileged Arbitrary Read/Write Access Vulnerability
It is reported that the INCA nProtect Gameguard kernel driver provides functionality that may impact the security model of a Windows NT/2000/XP computer. Reports indicate the affected kernel driver provides functionality to modify the I/O permission mask of the process that invokes the affected driver to allow for unrestricted I/O operations in unprivileged user-mode.
An unprivileged attacker that has obtainined local interactive access to a computer that is running the vulnerable kernel mode driver may exploit this to make arbitrary read and write operations to a specified device.
It is reported that the INCA nProtect Gameguard kernel driver provides functionality that may impact the security model of a Windows NT/2000/XP computer. Reports indicate the affected kernel driver provides functionality to modify the I/O permission mask of the process that invokes the affected driver to allow for unrestricted I/O operations in unprivileged user-mode.
An unprivileged attacker that has obtainined local interactive access to a computer that is running the vulnerable kernel mode driver may exploit this to make arbitrary read and write operations to a specified device.
Exploit / POC
INCA nProtect Gameguard Unprivileged Arbitrary Read/Write Access Vulnerability
The following proof of concept (NPPTNT2Access.cpp) is available. An additional exploit has been released to demonstrate that the updated driver is still prone to a security risk; the proof of concept (NPPTNT2keylog.cpp) is designed to intercept keystrokes when run as an unprivileged user:
The following proof of concept (NPPTNT2Access.cpp) is available. An additional exploit has been released to demonstrate that the updated driver is still prone to a security risk; the proof of concept (NPPTNT2keylog.cpp) is designed to intercept keystrokes when run as an unprivileged user:
Solution / Fix
INCA nProtect Gameguard Unprivileged Arbitrary Read/Write Access Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
INCA nProtect Gameguard Unprivileged Arbitrary Read/Write Access Vulnerability
References:
References:
- nProtect Gameguard Homepage (INCA)
- Re: Unrestricted I/O access vulnerability in INCA Gameguard (David Roberts
- Unrestricted I/O access vulnerability in INCA Gameguard ("Ryu Connor"