Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Security vulnerability in BufferZone 2.5

from [seppi] Network Security [Permanent Link]
Subject: Security vulnerability in BufferZone 2.5
Date: 24 Aug 2007 22:24:20 -0000 
vulnerable software: BufferZone (all product version) till version 2.5 (latest)
type of vulnerability: DoS, potential privilege escalation

I found a vulnerability in BufferZone which allows an unprivileged user and 
even a malicious software running inside the BufferZone sandbox to crash the 
system and potentially run arbitrary code with kernel privileges.
The issue is within the kernel driver redlight.sys which does not properly 
validate file buffer. Sending the IOCTL code FsSetVolumeInformation with 
subcode FsSetDirectoryInformation with a large buffer but underreporting its 
size with at most 1024 bytes results in a buffer underrun which might also lead 
to executing arbitrary code.
Since the RedLight device is also visible to sandboxed application, it might 
allow a sandboxed malware to escape the sandbox.

How to reproduce:
- get DC2.exe from the latest Windows Driver Kit
- install BufferZone
- login with an unprivileged user
- start a cmd.exe shell within the sandbox
- run "dc2 /hct \Device\RedLight"

I have originally reported this vulnerability for BufferZone 2.1 on 13-Jun-07, 
but aside from an some auto-response mails never received any reply. The 
vulnerability is still present in the most recent version 2.5.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Security vulnerability in BufferZone 2.5, seppi <=
Previous by Date:  More on VMWare poor guest isolation design, M. Burnett
Next by Date:  AST-2007-021: Crash from invalid/corrupted MIME bodies when using voicemail with IMAP storage, Asterisk Security Team
Previous by Thread:  security vulnerability in VMware, seppi
Next by Thread:  AST-2007-021: Crash from invalid/corrupted MIME bodies when using voicemail with IMAP storage, Asterisk Security Team
Indexes:  [Date] [Thread] [Top] [All Lists]