Vendor: FabulaTech
Software:
Vulnerable Component:
Vuln Type: Null Pointer Dereference
Description:
ftusbbus2.sys allows all users in Everyone Group to interact with it. When process IOCTL 0x22040C, it doesn't check the address of the input buffer, an attacker with low privilege can trigger this vulnerability and cause BSOD in the Windows system.
Test OS Version: Windows 10, 19041.vb_release.191206-1406
CONTEXT: ffff808cd6cc0d50 -- (.cxr 0xffff808cd6cc0d50)
rax=0000000000000000 rbx=0000000000000000 rcx=ffffd702ef731080
rdx=ffffd702f3b156d8 rsi=ffffd702f3b156d8 rdi=ffffd702f3b15690
rip=fffff806743910d6 rsp=ffff808cd6cc1750 rbp=ffffd702f4411280
r8=ffff808cd6cc1760 r9=ffffd702f24cc128 r10=000000000022200b
r11=0000000000000000 r12=ffffd702f24cc048 r13=ffffd702f3b15540
r14=0000000000000001 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050286
ftusbbus2+0x10d6:
fffff806`743910d6 8b03 mov eax,dword ptr [rbx] ds:002b:00000000`00000000=????????
Resetting default scope
PROCESS_NAME: poc.exe
STACK_TEXT:
ffff808c`d6cc1750 fffff806`7439b3b7 : 00000000`c0000010 ffffd702`f4411280 ffffd702`f3b15690 fffff806`59e5a2c1 : ftusbbus2+0x10d6
ffff808c`d6cc1790 fffff806`59a49cf5 : ffffd702`00000000 ffffd702`f24cc010 ffffd702`f3b15690 00000000`00000002 : ftusbbus2+0xb3b7
ffff808c`d6cc17f0 fffff806`59e592ac : 00000000`00000001 00000000`0022040c ffffd702`f4411280 00000000`00000000 : nt!IofCallDriver+0x55
ffff808c`d6cc1830 fffff806`59e58f03 : ffffd702`00000000 ffff808c`d6cc1b80 00000000`00010000 00000000`0022040c : nt!IopSynchronousServiceTail+0x34c
ffff808c`d6cc18d0 fffff806`59e581d6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xd13
ffff808c`d6cc1a20 fffff806`59c25235 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0014edb8 : nt!NtDeviceIoControlFile+0x56
ffff808c`d6cc1a90 00007ffa`f510d0c4 : 00007ffa`f2b2591b 00000002`0000000c 00007ffa`f50c0101 00004ec8`80183bcc : nt!KiSystemServiceCopyEnd+0x25
00000000`0014fdc8 00007ffa`f2b2591b : 00000002`0000000c 00007ffa`f50c0101 00004ec8`80183bcc 00007ffa`f2fd5985 : ntdll!NtDeviceIoControlFile+0x14
00000000`0014fdd0 00007ffa`f3295921 : 00000000`0022040c 00000000`00000000 00000000`0014fe60 00007ffa`00000000 : KERNELBASE!DeviceIoControl+0x6b
00000000`0014fe40 00007ff7`28d410fc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!DeviceIoControlImplementation+0x81
00000000`0014fe90 00007ff7`28d41350 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : poc!main+0x8c