Security vulnerability in BufferZone 2.5

2007.08.29
Credit: seppi
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

vulnerable software: BufferZone (all product version) till version 2.5 (latest) type of vulnerability: DoS, potential privilege escalation I found a vulnerability in BufferZone which allows an unprivileged user and even a malicious software running inside the BufferZone sandbox to crash the system and potentially run arbitrary code with kernel privileges. The issue is within the kernel driver redlight.sys which does not properly validate file buffer. Sending the IOCTL code FsSetVolumeInformation with subcode FsSetDirectoryInformation with a large buffer but underreporting its size with at most 1024 bytes results in a buffer underrun which might also lead to executing arbitrary code. Since the RedLight device is also visible to sandboxed application, it might allow a sandboxed malware to escape the sandbox. How to reproduce: - get DC2.exe from the latest Windows Driver Kit - install BufferZone - login with an unprivileged user - start a cmd.exe shell within the sandbox - run "dc2 /hct \Device\RedLight" I have originally reported this vulnerability for BufferZone 2.1 on 13-Jun-07, but aside from an some auto-response mails never received any reply. The vulnerability is still present in the most recent version 2.5.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top