quick.links
recent.news
2010-09-14 - the slides from my recent (re-)presentation (with lots of extra bits) at SEC-T 2010, will soon be online! exploit code [...]
2009-12-18 - The slides from my recent presentation at CRESTCon 2009, the 'replacement' for CHECKCon, are now online! exploit code for the demonstrations [...]
:.home.other stuff.DESlock+ Ownage3.14..
protect your data, use truecrypt.what.is.DESlock+?
DESlock+ is a software (and hardware) based encryption product for home/office use. The software based product provides users with the ability to encrypt/decrypt files, folders, pseudo-filesystems (entire drives emulated from DESlock+ encrypted files) and emails (much like GNU/OpenPGP, but suffice to say, much less-useful). The software itself can be obtained from http://www.deslock.com.
research
The initial purpose of my research into DESlock+ was simply to satisfy myself that the product was, at least, 'secure' with respect to cryptographic best practice. However, upon taking an initial look through the kernel drivers used to provide file system manipulation support to userland components, it became alarmingly apparent just how bad the DESlock+ kernel drivers really were. In less than 2 days, I had discovered enough trivially exploitable vulnerabilities to write a total of some 5 local kernel exploits!.
More information on the methods, tactics and intimidation used by Data Encryption Systems can be found here.
vuln.erabilities
- February 08-11
- DESLock+ <= 4.1.2 vdlptokn.sys Driver Local Kernel ring0 Code Execution
[ deslock-vdlptokn-v3.c ] - August 10-09
- DESLock+ <= 4.0.2 dlpcrypt.sys Driver Local Kernel Denial of Service
[ deslock-dlpcrypt-v2.c ] - August 10-09
- DESLock+ <= 4.0.3 vdlptokn.sys Driver Local Kernel ring0 Code Execution
[ deslock-vdlptokn.c ] - August 10-09
- DESLock+ <= 4.0.3 vdlptokn.sys Driver Local Kernel Denial of Service
[ deslock-vdlptokn-v2.c - CVE-2008-4362 ] - June 18-09
- DESLock+ 4.0.2 dlpcrypt.sys Driver Local Kernel ring0 Code Execution
[ deslock-dlpcrypt.c - CVE-2009-4832 - BID-35432 ] - September 20-08
- DESLock+ <= 3.2.7 DLMFENC.sys Driver Local Kernel Vulnerabilities
[ deslock-overflow.c - deslock-probe-race.c - deslock-probe-read.c - CVE-2008-4363 - BID-31273 ] - February 18-08
- DESLock+ <= 3.2.6 DLMFENC.sys Driver Local Kernel ring0 Code Execution
[ deslock-list-zero.c - deslock-list-zero-v2.c - CVE-2008-1138 - CVE-2008-1139 - BID-27862 ] - February 18-08
- DESLock+ <= 3.2.6 DLMFDISK.sys Driver Local Kernel ring0 Code Execution
[ deslock-pown-v2.c - CVE-2008-1140 - BID-27862 ] - February 18-08
- DESLock+ <= 3.2.6 DLMFENC.sys Driver Local Kernel Memory Leak
[ deslock-list-leak.c - CVE-2008-1141 - BID-27862 ]
future.vuln.erabilities
The following is a list of vulnerabilities that have yet to be disclosed, note that this list is by no means complete! and is likely to change wildly in coming days...
- DESLock+ <= 4.0.3 ???.sys Local Kernel Driver ring0 Code Execution
- yet more instances of arbitrary user-supplied pointer usage without sufficient checks/exception handling. - DESLock+ <= 4.0.3 ???.sys Local Kernel Driver Denial of Service
- proof that DESLock+ developers do not understand the root cause of many of these vulnerabilities, and will only patch individual instances. (i.e. this bug is identical to a previous disclosed bug that was 'patched'.) - DESLock+ <= 4.0.3 ???.sys Local Kernel Driver Denial of Service/Memory Disclosure
- multiple instances of out-of-bounds array indexing.