• home
• research
• tools
• other stuff
• about
• contact

quick.links

• my blog
• members login
• archive
• news
• links
• rss

recent.news

2009-12-18 - The slides from my recent presentation at CRESTCon 2009, the 'replacement' for CHECKCon, are now online! exploit code for the demonstrations [...]

2009-03-30 - We (by we, I mean myself and christer) recently demonstrated a score of local (and indeed a remote) kernel vulnerabilities [...]

:.home^3.1415926..

0day Disk Encryption Driver Bugs @CRESTCon 2009!

Posted on: 2009-12-18

The slides from my recent presentation at CRESTCon 2009, the 'replacement' for CHECKCon, are now online! exploit code for the demonstrations will follow very soon!

recent.additions

• May 26-10
  - SecurStar DriveCrypt <= 5.4 Local Kernel ring0 Code Execution
  [ drivecrypt-dcr.c ]
• May 26-10
  - SecurStar DriveCrypt <= 5.4 Local Kernel Arbitrary File Read/Write Exploit
  [ drivecrypt-fopen.c ]
• April 26-10
  - NovaSTOR NovaNet <= 12.0 Remote Memory Read/Denial of Service
  [ novanet-read.c - BID-39693 ]
• April 26-10
  - NovaSTOR NovaNet <= 12.0 Remote Code Execution
  [ novanet-own.c - novanet-own-lnx.c - BID-39693 ]
• April 26-10
  - NovaSTOR NovaNet/NovaBACKUP Network <= 13.0 Remote Denial of Service
  [ novanet-dos.c - BID-39693 ]
• January 15-10
  - is SafeCentral actually unsafe?
  [ link ]
• January 15-10
  - Authentium SafeCentral <= 2.6 shdrv.sys Local Kernel Denial of Service/ring0 Code Execution
  [ safecentral-unharden.c - BID-37939 ]
• January 15-10
  - Authentium SafeCentral <= 2.6 shdrv.sys Local Kernel ring0 Code Execution
  [ safecentral-unharden-v2.c - BID-37939 ]
• December 22-09
  - CRESTCon 2009: "[Win32] Full/Virtual Disk Encryption Vulnerabilities"
  [ link - presentation (pdf) ]
• October 02-09
  - VMware Fusion <= 2.0.5 vmx86 kext Local Kernel Denial of Service
  [ vmware-pop.c - CVE-2009-3282 - BID-36579 ]
• October 02-09
  - VMware Fusion <= 2.0.5 vmx86 kext Local Kernel Root Exploit
  [ vmware-fission.c - CVE-2009-3281 - BID-36578 ]
• August 10-09
  - DESLock+ <= 4.0.2 dlpcrypt.sys Driver Local Kernel Denial of Service
  [ deslock-dlpcrypt-v2.c ]
• August 10-09
  - DESLock+ <= 4.0.3 vdlptokn.sys Driver Local Kernel ring0 Code Execution
  [ deslock-vdlptokn.c ]
• August 10-09
  - DESLock+ <= 4.0.3 vdlptokn.sys Driver Local Kernel Denial of Service
  [ deslock-vdlptokn-v2.c ]
• June 23-09
  - DESLock+ ownage
  [ link ]
• June 23-09
  - B-Labs Bopup Communication Server <= 3.2.26.5460 Remote Buffer Overflow
  [ bopup-down.c - CVE-2009-2227 ]
• June 18-09
  - DESLock+ 4.0.2 dlpcrypt.sys Driver Local Kernel ring0 Code Execution
  [ deslock-dlpcrypt.c - BID-35432 ]
• May 27-09
  - The DESLock+ debacle
  [ link ]
• May 14-09
  - Apple Mac OS X xnu <= 1228.x workqueue Index Validation Vulnerability
  [ xnu-workq-v2-64.c - iDEFENSE-797 - Apple Mac OS X Security Update 2009-002 - CVE-2008-1517 - BID-34959 ]
• May 13-09
  - ipsec-tools racoon isakmp-frag Remote Denial of Service
  [ racoon-isakmp-dos.c - CVE-2009-1574 - BID-34765 ]
• May 02-09
  - Sun Solaris 10/OpenSolaris <= snv_113 dtrace Local Kernel Denial of Service
  [ solaris-dtrace-dos.c - CVE-2009-1478 - BID-34753 ]
• May 02-09
  - Sun Solaris 10/OpenSolaris <= snv_113 fasttrap Local Kernel Denial of Service
  [ solaris-fasttrap-dos.c - CVE-2009-1478 - BID-34753 ]
• March 30-09
  - Apple Mac OS X xnu <= 1228.x hfs-fcntl Local Kernel Root Exploit
  [ xnu-hfs-fcntl-v2.c - xnu-hfs-fcntl-v2.sh - CVE-2009-1235 - BID-34203 - informationweek.com -
    Heise-Security ]
• March 30-09
  - Apple Mac OS X xnu <= 1228.x vfssysctl Local Kernel Denial of Service
  [ xnu-vfssysctl-dos.c - CVE-2009-1238 - BID-34202 - informationweek.com - Heise-Security ]
• March 30-09
  - Apple Mac OS X xnu <= 1228.x profil Local Kernel Memory Leak/Denial of Service
  [ xnu-profil-leak.c - CVE-2009-1237 - BID-34202 - informationweek.com - Heise-Security ]
• March 30-09
  - Apple Mac OS X xnu <= 1228.x macfsstat Local Kernel Memory Leak/Denial of Service
  [ xnu-macfsstat-leak.c - CVE-2009-1237 - BID-34202 - informationweek.com - Heise-Security ]
• March 30-09
  - Apple Mac OS X xnu <= 1228.x appletalk zip-notify Remote Kernel Overflow
  [ xnu-appletalk-zip.c - CVE-2009-1236 - BID-34201 - informationweek.com - Heise-Security ]
• March 30-09
  - FreeBSD >= 7.0 ktimer Local Kernel Root Exploit
  [ bsd-ktimer.c - CVE-2009-1041 - BID-34196 - Heise-Security ]
• February 26-09
  - Apple Mac OS X xnu <= 1228.x get_ldt Local Kernel Memory Disclosure
  [ xnu-get_ldt.c - CVE-2008-4218 ]
• September 20-08
  - DESLock+ <= 3.2.7 DLMFENC.sys Driver Local Kernel Vulnerabilities
  [ deslock-overflow.c - deslock-probe-race.c - deslock-probe-read.c - CVE-2008-4363 - BID-31273 ]
• September 02-08
  - Anytime Algorithms for ROBDD Symmetry Detection and Approximation
  [ thesis (pdf) ]
• July 26-08
  - equivset - an implementation of the equivalence approximation algorithm for ROBDDs
  [ link ]
• June 17-08
  - Bit-Precise Reasoning with Affine Functions
  [ paper (pdf) - link ]
• June 17-08
  - Deterministic Network Enhancer dne2000.sys Driver Local Kernel ring0 Code Execution
  [ dne2000-call.c - CVE-2008-5121 - BID-29772 - CERT-858993 - Heise-Security ]
• February 26-08
  - Apple Mac OS X xnu <= 1228.3.13 ipv6-ipcomp Remote Kernel Denial of Service
  [ xnu-ipv6-ipcomp.c - CVE-2008-0177 - BID-27642 - CERT-110947 - informationweek.com ]