quick.links
recent.news
2010-09-14 - the slides from my recent (re-)presentation (with lots of extra bits) at SEC-T 2010, will soon be online! exploit code [...]
2009-12-18 - The slides from my recent presentation at CRESTCon 2009, the 'replacement' for CHECKCon, are now online! exploit code for the demonstrations [...]
:.home.otherstuff.crestcon2009.3.14..
“>>>I<<< know the pointers are valid.”
"Third Party Windows Kernel drivers are really terrible."
"CREST and CESG have joined forces to host the first Ethical Security Testers Conference and we would like to invite you to this event."
CRESTCON.2009
On the 15th December 2009, I gave a presentation at CRESTCon 2009 held at Royal Holloway College, University of London. The presentation attempted to demonstrate just how bad Virtual Disk/Full Disk Encryption (VDE/FDE) drivers actually are! The presentation did of course feature DESlock+ very prominently. However, there were a few others featured, namely SecurStar DriveCrypt 5.3 (and "DriveCrypt - Plus Pack"), Utimaco Safeware (since bought out by SOPHOS) PrivateDisk 2.x and SafeBit.
The number of bugs found in these, as you might expect by now! is simply too high to estimate! however, the presentation slides are available below...
the.presentation
the.exploits
- July 27-18
- Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk Local Kernel ring0 Code Execution
[ safeguard-pdisk-overflow.c - safeguard-pdisk-overflow-v2.c ] - February 08-11
- DESLock+ <= 4.1.2 vdlptokn.sys Driver Local Kernel ring0 Code Execution
[ deslock-vdlptokn-v3.c ] - September 16-10
- Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk Local Kernel Device 'unmount' Exploit
[ safeguard-pdisk-unmount.c ] - September 16-10
- Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk Local Kernel Device header 'overwrite' Exploit
[ safeguard-pdisk-write-header.c ] - May 26-10
- SecurStar DriveCrypt <= 5.4 Local Kernel ring0 Code Execution
[ drivecrypt-dcr.c - BID-45750 ] - May 26-10
- SecurStar DriveCrypt <= 5.4 Local Kernel Arbitrary File Read/Write Exploit
[ drivecrypt-fopen.c ] - August 10-09
- DESLock+ <= 4.0.2 dlpcrypt.sys Driver Local Kernel Denial of Service
[ deslock-dlpcrypt-v2.c ] - August 10-09
- DESLock+ <= 4.0.3 vdlptokn.sys Driver Local Kernel ring0 Code Execution
[ deslock-vdlptokn.c ] - August 10-09
- DESLock+ <= 4.0.3 vdlptokn.sys Driver Local Kernel Denial of Service
[ deslock-vdlptokn-v2.c - CVE-2008-4362 ] - June 18-09
- DESLock+ 4.0.2 dlpcrypt.sys Driver Local Kernel ring0 Code Execution
[ deslock-dlpcrypt.c - CVE-2009-4832 - BID-35432 ] - September 20-08
- DESLock+ <= 3.2.7 DLMFENC.sys Driver Local Kernel Vulnerabilities
[ deslock-overflow.c - deslock-probe-race.c - deslock-probe-read.c - CVE-2008-4363 - BID-31273 ] - February 18-08
- DESLock+ <= 3.2.6 DLMFENC.sys Driver Local Kernel ring0 Code Execution
[ deslock-list-zero.c - deslock-list-zero-v2.c - CVE-2008-1138 - CVE-2008-1139 - BID-27862 ] - February 18-08
- DESLock+ <= 3.2.6 DLMFDISK.sys Driver Local Kernel ring0 Code Execution
[ deslock-pown-v2.c - CVE-2008-1140 - BID-27862 ] - February 18-08
- DESLock+ <= 3.2.6 DLMFENC.sys Driver Local Kernel Memory Leak
[ deslock-list-leak.c - CVE-2008-1141 - BID-27862 ]