TheGreenBow VPN Client tgbvpn.sys DoS and Potential Local Privilege Escalation

Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry {AT} GMAIL {DOT} COM
Website: http://evilcry.netsons.org

             http://evilcodecave.blogspot.com
             http://evilcodecave.wordpress.com
             http://evilfingers.com
             http://malwareAnalytics.com [under construction]


Release Date: 15/08/2009

+-------------------------------------------------+
Product: TheGreenBow VPN Client 4.61.003 (other versions could be affected) Affected Component: tgbvpn.sys
Category: Local Denial of Service (BSOD)

         (untested) Local Privilege Escalation

+-------------------------------------------------+

--------------------------[Details]--------------->

TheGreenBow's tgbvpn.sys Driver does not sanitize user supplied input (IOCTL)
and this lead to a Driver Collapse that propagates on the system with a BSOD,
and potential risk of Privilege Escalation.

Affected IOCTL is 0x80000034

Transfer Type: METHOD_BUFFERED

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
ef1cabf4 841d36a8 ef1cac58 841d36a8 f42dd895 tgbvpn+0x9f51 00000000 00000000 00000000 00000000 00000000 0x841d36a8

+--------------------------------------------------------------------------------------------+
/* tgbvpn.sys KERNEL_MODE_EXCEPTION_NOT_HANDLED - DoS PoC
 *
 * Author: Giuseppe 'Evilcry' Bonfa'
 * E-Mail: evilcry {AT} gmail. {DOT} com
 * Website: http://evilcry.netsons.org
 * http://evilcodecave.blogspot.com
 * http://evilcodecave.wordpress.com
 * http://evilfingers.com