[FabulaTech][USB over Network Client][ftusbbus2][0x220408][NPD][DOS]

FabulaTech USB over Network Client DOS Vulnerability

Basic Info

Vendor: FabulaTech

Software：

Name: USB over Network Client
Version: 6.0.6.1
Download Page: https://www.usb-over-network.com/usb-over-network-download.html

Vulnerable Component:

File: ftusbbus2.sys
File Version: 5.1.26.0

Vuln Type: Null Pointer Dereference Description:

ftusbbus2.sys allows all users in Everyone Group to interact with it. When process IOCTL 0x220408, it doesn't check the address of the input buffer, an attacker with low privilege can trigger this vulnerability and cause BSOD in the Windows system.

Proof Of Concept

Test OS Version: Windows 10, 19041.vb_release.191206-1406

click poc.exe to trigger this issue
cause a BSOD of Windows system

CONTEXT:  ffff808cd67e6d50 -- (.cxr 0xffff808cd67e6d50)
rax=0000000000000000 rbx=0000000000000000 rcx=ffffd702efd4b080
rdx=ffffd702f3b156d8 rsi=ffffd702f3b156d8 rdi=ffffd702f3b15690
rip=fffff806743910d6 rsp=ffff808cd67e7750 rbp=ffffd702f4c1c4c0
 r8=ffff808cd67e7760  r9=ffffd702f79ded88 r10=000000000022200b
r11=0000000000000000 r12=ffffd702f79deca8 r13=ffffd702f3b15540
r14=0000000000000001 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050286
ftusbbus2+0x10d6:
fffff806`743910d6 8b03            mov     eax,dword ptr [rbx] ds:002b:00000000`00000000=????????
Resetting default scope

PROCESS_NAME:  poc.exe

STACK_TEXT:
ffff808c`d67e7750 fffff806`7439b3b7 : 00000000`c0000010 ffffd702`f4c1c4c0 ffffd702`f3b15690 fffff806`59e5a2c1 : ftusbbus2+0x10d6
ffff808c`d67e7790 fffff806`59a49cf5 : ffffd702`00000000 ffffd702`f79dec70 ffffd702`f3b15690 00000000`00000002 : ftusbbus2+0xb3b7
ffff808c`d67e77f0 fffff806`59e592ac : 00000000`00000001 00000000`0022040c ffffd702`f4c1c4c0 00000000`00000000 : nt!IofCallDriver+0x55
ffff808c`d67e7830 fffff806`59e58f03 : ffffd702`00000000 ffff808c`d67e7b80 00000000`00010000 00000000`0022040c : nt!IopSynchronousServiceTail+0x34c
ffff808c`d67e78d0 fffff806`59e581d6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xd13
ffff808c`d67e7a20 fffff806`59c25235 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0014edb8 : nt!NtDeviceIoControlFile+0x56
ffff808c`d67e7a90 00007ffa`f510d0c4 : 00007ffa`f2b2591b 00000002`0000000c 00007ffa`f50c0101 000057c5`43fcc71b : nt!KiSystemServiceCopyEnd+0x25
00000000`0014fdc8 00007ffa`f2b2591b : 00000002`0000000c 00007ffa`f50c0101 000057c5`43fcc71b 00007ffa`f2fd5985 : ntdll!NtDeviceIoControlFile+0x14
00000000`0014fdd0 00007ffa`f3295921 : 00000000`0022040c 00000000`00000000 00000000`0014fe60 00007ffa`00000000 : KERNELBASE!DeviceIoControl+0x6b
00000000`0014fe40 00007ff6`847310fc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!DeviceIoControlImplementation+0x81
00000000`0014fe90 00007ff6`84731350 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : poc!main+0x8c

Attachment

ftusbbus2.sys