Trustware BufferZone 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189286 漏洞类型 缓冲区溢出
发布时间 2007-08-28 更新时间 2007-08-28
CVE编号 CVE-2007-4580 CNNVD-ID CNNVD-200708-459
漏洞平台 N/A CVSS评分 7.2
|漏洞来源
https://www.securityfocus.com/bid/81604
https://cxsecurity.com/issue/WLB-2007080136
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-459
|漏洞详情
BufferZone2.1版本和2.5版本的redlight.sys中存在缓冲区溢出。本地用户通过向具有包含超大缓冲区的一个FsSetDirectoryInformation次代码的FsSetVolumeInformationIOCTL处理器发送一个小缓冲区尺寸值,造成拒绝服务(崩溃)并可能执行任意代码。
|漏洞EXP
vulnerable software: BufferZone (all product version) till version 2.5 (latest)
type of vulnerability: DoS, potential privilege escalation

I found a vulnerability in BufferZone which allows an unprivileged user and even a malicious software running inside the BufferZone sandbox to crash the system and potentially run arbitrary code with kernel privileges.
The issue is within the kernel driver redlight.sys which does not properly validate file buffer. Sending the IOCTL code FsSetVolumeInformation with subcode FsSetDirectoryInformation with a large buffer but underreporting its size with at most 1024 bytes results in a buffer underrun which might also lead to executing arbitrary code.
Since the RedLight device is also visible to sandboxed application, it might allow a sandboxed malware to escape the sandbox.

How to reproduce:
- get DC2.exe from the latest Windows Driver Kit
- install BufferZone
- login with an unprivileged user
- start a cmd.exe shell within the sandbox
- run "dc2 /hct \Device\RedLight"

I have originally reported this vulnerability for BufferZone 2.1 on 13-Jun-07, but aside from an some auto-response mails never received any reply. The vulnerability is still present in the most recent version 2.5.
|受影响的产品
TRUSTWARE BufferZone 2.5 Pro TRUSTWARE BufferZone 2.5 Free TRUSTWARE BufferZone 2.5 Enterprise TRUSTWARE BufferZone 2.1
|参考资料

来源:XF
名称:bufferzone-redlight-privilege-escalation(36278)
链接:http://xforce.iss.net/xforce/xfdb/36278
来源:BUGTRAQ
名称:20070824SecurityvulnerabilityinBufferZone2.5
链接:http://www.securityfocus.com/archive/1/archive/1/477726/100/0/threaded
来源:SECUNIA
名称:26608
链接:http://secunia.com/advisories/26608
来源:OSVDB
名称:39154
链接:http://osvdb.org/39154
来源:SREASON
名称:3071
链接:http://securityreason.com/securityalert/3071