• home
• research
• tools
• other stuff
• about
• contact

quick.links

• my blog
• members login
• archive
• news
• links
• rss

recent.news

2009-12-18 - The slides from my recent presentation at CRESTCon 2009, the 'replacement' for CHECKCon, are now online! exploit code for the demonstrations [...]

2009-03-30 - We (by we, I mean myself and christer) recently demonstrated a score of local (and indeed a remote) kernel vulnerabilities [...]

:.home^3.1415926..

0day Disk Encryption Driver Bugs @CRESTCon 2009!

Posted on: 2009-12-18

The slides from my recent presentation at CRESTCon 2009, the 'replacement' for CHECKCon, are now online! exploit code for the demonstrations will follow very soon!

recent.additions

• May 26-10
  - SecurStar DriveCrypt <= 5.4 Local Kernel ring0 Code Execution
  [ drivecrypt-dcr.c ]
• May 26-10
  - SecurStar DriveCrypt <= 5.4 Local Kernel Arbitrary File Read/Write Exploit
  [ drivecrypt-fopen.c ]
• April 26-10
  - NovaSTOR NovaNet <= 12.0 Remote Memory Read/Denial of Service
  [ novanet-read.c - BID-39693 ]
• April 26-10
  - NovaSTOR NovaNet <= 12.0 Remote Code Execution
  [ novanet-own.c - novanet-own-lnx.c - BID-39693 ]
• April 26-10
  - NovaSTOR NovaNet/NovaBACKUP Network <= 13.0 Remote Denial of Service
  [ novanet-dos.c - BID-39693 ]
• January 15-10
  - is SafeCentral actually unsafe?
  [ link ]
• January 15-10
  - Authentium SafeCentral <= 2.6 shdrv.sys Local Kernel Denial of Service/ring0 Code Execution
  [ safecentral-unharden.c - BID-37939 ]
• January 15-10
  - Authentium SafeCentral <= 2.6 shdrv.sys Local Kernel ring0 Code Execution
  [ safecentral-unharden-v2.c - BID-37939 ]
• December 22-09
  - CRESTCon 2009: "[Win32] Full/Virtual Disk Encryption Vulnerabilities"
  [ link - presentation (pdf) ]
• October 02-09
  - VMware Fusion <= 2.0.5 vmx86 kext Local Kernel Denial of Service
  [ vmware-pop.c - CVE-2009-3282 - BID-36579 ]
• October 02-09
  - VMware Fusion <= 2.0.5 vmx86 kext Local Kernel Root Exploit
  [ vmware-fission.c - CVE-2009-3281 - BID-36578 ]
• August 10-09
  - DESLock+ <= 4.0.2 dlpcrypt.sys Driver Local Kernel Denial of Service
  [ deslock-dlpcrypt-v2.c ]
• August 10-09
  - DESLock+ <= 4.0.3 vdlptokn.sys Driver Local Kernel ring0 Code Execution
  [ deslock-vdlptokn.c ]
• August 10-09
  - DESLock+ <= 4.0.3 vdlptokn.sys Driver Local Kernel Denial of Service
  [ deslock-vdlptokn-v2.c ]
• June 23-09
  - DESLock+ ownage
  [ link ]
• June 23-09
  - B-Labs Bopup Communication Server <= 3.2.26.5460 Remote Buffer Overflow
  [ bopup-down.c - CVE-2009-2227 ]
• June 18-09
  - DESLock+ 4.0.2 dlpcrypt.sys Driver Local Kernel ring0 Code Execution
  [ deslock-dlpcrypt.c - BID-35432 ]
• May 27-09
  - The DESLock+ debacle
  [ link ]
• May 14-09
  - Apple Mac OS X xnu <= 1228.x workqueue Index Validation Vulnerability
  [ xnu-workq-v2-64.c - iDEFENSE-797 - Apple Mac OS X Security Update 2009-002 - CVE-2008-1517 - BID-34959 ]
• May 13-09
  - ipsec-tools racoon isakmp-frag Remote Denial of Service
  [ racoon-isakmp-dos.c - CVE-2009-1574 - BID-34765 ]
• May 02-09
  - Sun Solaris 10/OpenSolaris <= snv_113 dtrace Local Kernel Denial of Service
  [ solaris-dtrace-dos.c - CVE-2009-1478 - BID-34753 ]
• May 02-09
  - Sun Solaris 10/OpenSolaris <= snv_113 fasttrap Local Kernel Denial of Service
  [ solaris-fasttrap-dos.c - CVE-2009-1478 - BID-34753 ]
• March 30-09
  - Apple Mac OS X xnu <= 1228.x hfs-fcntl Local Kernel Root Exploit
  [ xnu-hfs-fcntl-v2.c - xnu-hfs-fcntl-v2.sh - CVE-2009-1235 - BID-34203 - informationweek.com -
    Heise-Security ]
• March 30-09
  - Apple Mac OS X xnu <= 1228.x vfssysctl Local Kernel Denial of Service
  [ xnu-vfssysctl-dos.c - CVE-2009-1238 - BID-34202 - informationweek.com - Heise-Security ]
• March 30-09
  - Apple Mac OS X xnu <= 1228.x profil Local Kernel Memory Leak/Denial of Service
  [ xnu-profil-leak.c - CVE-2009-1237 - BID-34202 - informationweek.com - Heise-Security ]
• March 30-09
  - Apple Mac OS X xnu <= 1228.x macfsstat Local Kernel Memory Leak/Denial of Service
  [ xnu-macfsstat-leak.c - CVE-2009-1237 - BID-34202 - informationweek.com - Heise-Security ]
• March 30-09
  - Apple Mac OS X xnu <= 1228.x appletalk zip-notify Remote Kernel Overflow
  [ xnu-appletalk-zip.c - CVE-2009-1236 - BID-34201 - informationweek.com - Heise-Security ]
• March 30-09
  - FreeBSD >= 7.0 ktimer Local Kernel Root Exploit
  [ bsd-ktimer.c - CVE-2009-1041 - BID-34196 - Heise-Security ]
• February 26-09
  - Apple Mac OS X xnu <= 1228.x get_ldt Local Kernel Memory Disclosure
  [ xnu-get_ldt.c - CVE-2008-4218 ]
• September 20-08
  - DESLock+ <= 3.2.7 DLMFENC.sys Driver Local Kernel Vulnerabilities
  [ deslock-overflow.c - deslock-probe-race.c - deslock-probe-read.c - CVE-2008-4363 - BID-31273 ]
• September 02-08
  - Anytime Algorithms for ROBDD Symmetry Detection and Approximation
  [ thesis (pdf) ]
• July 26-08
  - equivset - an implementation of the equivalence approximation algorithm for ROBDDs
  [ link ]
• June 17-08
  - Bit-Precise Reasoning with Affine Functions
  [ paper (pdf) - link ]
• June 17-08
  - Deterministic Network Enhancer dne2000.sys Driver Local Kernel ring0 Code Execution
  [ dne2000-call.c - CVE-2008-5121 - BID-29772 - CERT-858993 - Heise-Security ]
• February 26-08
  - Apple Mac OS X xnu <= 1228.3.13 ipv6-ipcomp Remote Kernel Denial of Service
  [ xnu-ipv6-ipcomp.c - CVE-2008-0177 - BID-27642 - CERT-110947 - informationweek.com ]
• February 18-08
  - DESLock+ <= 3.2.6 DLMFENC.sys Driver Local Kernel ring0 Code Execution
  [ deslock-list-zero.c - deslock-list-zero-v2.c - CVE-2008-1138 - CVE-2008-1139 - BID-27862 ]
• February 18-08
  - DESLock+ <= 3.2.6 DLMFDISK.sys Driver Local Kernel ring0 Code Execution
  [ deslock-pown-v2.c - CVE-2008-1140 - BID-27862 ]
• February 18-08
  - DESLock+ <= 3.2.6 DLMFENC.sys Driver Local Kernel Memory Leak
  [ deslock-list-leak.c - CVE-2008-1141 - BID-27862 ]
• January 29-08
  - SafeNET IPSecDrv.sys Driver Local Kernel ring0 Code Execution
  [ safenet-ipsec-call.c - CVE-2008-0573 - BID-27496 ]
• January 14-08
  - Cisco Systems VPN Client IPSec Driver Local Kernel System Pool Corruption
  [ cvpndrv-dos.c - CVE-2008-0324 - BID-27289 ]
• December 12-07
  - Apple Mac OS X xnu <= 1228.0 cs_validate_page Local Kernel Denial of Service
  [ xnu-superblob-dos.c - CVE-2007-6359 - BID-26840 ]
• December 05-07
  - Apple Mac OS X xnu <= 1228.0 load_threadstack Local Kernel Denial of Service
  [ xnu-macho-dos.c - CVE-2007-6261 - BID-26700 - Heise-Security ]
• December 05-07
  - Apple Mac OS X <= 10.5.1 vpnd Remote Denial of Service
  [ vpnd-leopard-lb-dos.c - CVE-2007-6276 - BID-26699 - Heise-Security ]
• October 16-07
  - eXtremail <= 2.1.1 Multiple Remote Vulnerabilities
  [ extremail-v3.pl - extremail-v4.c - extremail-v5.c - extremail-v6.c - extremail-v8.pl -
    CVE-2007-5466 - CVE-2007-5467 - BID-26074 ]
• September 25-07
  - Linux Kernel ALSA snd_mem_proc_read Information Disclosure Vulnerability
  [ iDEFENSE-600 - CVE-2007-4571 - BID-25807 ]
• September 22-07
  - bind9, all sweetness and light?
  [ link - name.c-diff - dst_api.c-diff ]
• September 20-07
  - How easy is it to break "random" passwords?, musings on several example algorithms
  [ link ]
• August 30-07
  - An Anytime Algorithm for Generalized Symmetry Detection in ROBDDs
  [ paper (pdf) - link ]
• August 07-07
  - Apple Mac OS X mDNSResponder HTTP Request Heap Overflow
  [ iDEFENSE-573 - Apple Mac OS X Security Update 2007-007 - CVE-2007-3744 - BID-25159 ]
• July 17-07
  - tcpdump <= 3.9.6 BGP Remote Integer Overflow
  [ tcpdump-bgp.c - print-bgp.c-diff - CVE-2007-3798 - BID-24965 - Gentoo Bug #184815 -
    Heise-Security ]