Deep Freeze - Out-of-bounds Read
5.8
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Deep Freeze 9.00.020.5760 - Out-of-bounds read
Code name
State
Public
Release date
Aug 24, 2024
Affected product
Deep Freeze
Vendor
Faronics Corporation
Affected version(s)
Version 9.00.020.5760
Vulnerability name
Out-of-bounds read
Vulnerability type
Remotely exploitable
No
CVSS v3.0 vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
CVSS v3.0 base score
5.8
Exploit available
Yes
CVE ID(s)
Description
Deep Freeze 9.00.020.5760 is vulnerable to an out-of-bounds read vulnerability by triggering the 0x70014 IOCTL code of the FarDisk.sys driver.
Vulnerability
The 0x70014 IOCTL code of the FarDisk.sys driver allows performing an Out-of-bounds read.
The following is the handling code of the 0x70014 IOCTL:
When the nInBufferSize parameter of the IOCTL request is greater or equal than 0x10, the second DWORD of the user-controlled SystemBuffer is passed to the IO manager as the returned bytes for the IO response. This allows an attacker to control how many bytes to read past the allocated SystemBuffer memory block.
A snipped of the proof-of-concept code is the following:
With that, the attacker can read 0x42424242 bytes from adjacent objects, leaking whatever the object leaked can have, including user and kernel addresses:
Our security policy
We have reserved the ID CVE-2024-8159 to refer to this issue from now on.
System Information
Version: Deep Freeze 9.00.020.5760
Operating System: Windows
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://www.faronics.com/
Product page https://www.faronics.com/es/products/deep-freeze
Timeline
Vulnerability discovered
Aug 25, 2024
Vendor contacted
Aug 25, 2024
