[FabulaTech][USB over Network Client][ftusbbus2][0x22040C][NPD][DOS]

FabulaTech USB over Network Client DOS Vulnerability

Basic Info

Vendor: FabulaTech

Software：

Name: USB over Network Client
Version: 6.0.6.1
Download Page: https://www.usb-over-network.com/usb-over-network-download.html

Vulnerable Component:

File: ftusbbus2.sys
File Version: 5.1.26.0

Vuln Type: Null Pointer Dereference

Description:

ftusbbus2.sys allows all users in Everyone Group to interact with it. When process IOCTL 0x22040C, it doesn't check the address of the input buffer, an attacker with low privilege can trigger this vulnerability and cause BSOD in the Windows system.

Proof Of Concept

Test OS Version: Windows 10, 19041.vb_release.191206-1406

click poc.exe to trigger this issue
cause a BSOD of Windows system

CONTEXT:  ffff808cd6cc0d50 -- (.cxr 0xffff808cd6cc0d50)
rax=0000000000000000 rbx=0000000000000000 rcx=ffffd702ef731080
rdx=ffffd702f3b156d8 rsi=ffffd702f3b156d8 rdi=ffffd702f3b15690
rip=fffff806743910d6 rsp=ffff808cd6cc1750 rbp=ffffd702f4411280
 r8=ffff808cd6cc1760  r9=ffffd702f24cc128 r10=000000000022200b
r11=0000000000000000 r12=ffffd702f24cc048 r13=ffffd702f3b15540
r14=0000000000000001 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050286
ftusbbus2+0x10d6:
fffff806`743910d6 8b03            mov     eax,dword ptr [rbx] ds:002b:00000000`00000000=????????
Resetting default scope

PROCESS_NAME:  poc.exe

STACK_TEXT:
ffff808c`d6cc1750 fffff806`7439b3b7 : 00000000`c0000010 ffffd702`f4411280 ffffd702`f3b15690 fffff806`59e5a2c1 : ftusbbus2+0x10d6
ffff808c`d6cc1790 fffff806`59a49cf5 : ffffd702`00000000 ffffd702`f24cc010 ffffd702`f3b15690 00000000`00000002 : ftusbbus2+0xb3b7
ffff808c`d6cc17f0 fffff806`59e592ac : 00000000`00000001 00000000`0022040c ffffd702`f4411280 00000000`00000000 : nt!IofCallDriver+0x55
ffff808c`d6cc1830 fffff806`59e58f03 : ffffd702`00000000 ffff808c`d6cc1b80 00000000`00010000 00000000`0022040c : nt!IopSynchronousServiceTail+0x34c
ffff808c`d6cc18d0 fffff806`59e581d6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xd13
ffff808c`d6cc1a20 fffff806`59c25235 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0014edb8 : nt!NtDeviceIoControlFile+0x56
ffff808c`d6cc1a90 00007ffa`f510d0c4 : 00007ffa`f2b2591b 00000002`0000000c 00007ffa`f50c0101 00004ec8`80183bcc : nt!KiSystemServiceCopyEnd+0x25
00000000`0014fdc8 00007ffa`f2b2591b : 00000002`0000000c 00007ffa`f50c0101 00004ec8`80183bcc 00007ffa`f2fd5985 : ntdll!NtDeviceIoControlFile+0x14
00000000`0014fdd0 00007ffa`f3295921 : 00000000`0022040c 00000000`00000000 00000000`0014fe60 00007ffa`00000000 : KERNELBASE!DeviceIoControl+0x6b
00000000`0014fe40 00007ff7`28d410fc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!DeviceIoControlImplementation+0x81
00000000`0014fe90 00007ff7`28d41350 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : poc!main+0x8c

FabulaTech USB over Network Client DOS Vulnerability

Basic Info

Proof Of Concept

Attachment