[FabulaTech][USB over Network Client][ftusbbus2][0x220420][NPD][DOS]

FabulaTech USB over Network Client DOS Vulnerability

Basic Info

Vendor: FabulaTech

Software：

Name: USB over Network Client
Version: 6.0.6.1
Download Page: https://www.usb-over-network.com/usb-over-network-download.html

Vulnerable Component:

File: ftusbbus2.sys
File Version: 5.1.26.0

Vuln Type: Null Pointer Dereference

Description:

ftusbbus2.sys allows all users in Everyone Group to interact with it. When process IOCTL 0x220420, it doesn't check the address of the input buffer, an attacker with low privilege can trigger this vulnerability and cause BSOD in the Windows system.

Proof Of Concept

Test OS Version: Windows 10, 19041.vb_release.191206-1406

click poc.exe to trigger this issue
cause a BSOD of Windows system

CONTEXT:  ffff808cd8545d30 -- (.cxr 0xffff808cd8545d30)
rax=0000000000000000 rbx=ffffd702f3b15690 rcx=ffffd702f4798080
rdx=ffffd702f3b156d8 rsi=ffffd702f3b15690 rdi=ffffd702ef6692b0
rip=fffff80674391201 rsp=ffff808cd8546730 rbp=ffffd702f3b156d8
 r8=ffff808cd8546740  r9=ffffd702ef6692e8 r10=000000000022200b
r11=0000000000000000 r12=0000000000000000 r13=ffffd702ef6692e8
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050282
ftusbbus2+0x1201:
fffff806`74391201 418b06          mov     eax,dword ptr [r14] ds:002b:00000000`00000000=????????
Resetting default scope

PROCESS_NAME:  poc.exe

STACK_TEXT:
ffff808c`d8546730 fffff806`7439b38b : d702f660`9a00fffe 00000000`c0000010 ffffd702`f6609a30 ffffd702`f3b15690 : ftusbbus2+0x1201
ffff808c`d8546790 fffff806`59a49cf5 : ffffd702`00000000 ffffd702`ef6692b0 ffffd702`f3b15690 00000000`00000002 : ftusbbus2+0xb38b
ffff808c`d85467f0 fffff806`59e592ac : 00000000`00000001 00000000`00220420 ffffd702`f6609a30 00000000`00000000 : nt!IofCallDriver+0x55
ffff808c`d8546830 fffff806`59e58f03 : ffffd702`00000000 ffff808c`d8546b80 00000000`00010000 00000000`00220420 : nt!IopSynchronousServiceTail+0x34c
ffff808c`d85468d0 fffff806`59e581d6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xd13
ffff808c`d8546a20 fffff806`59c25235 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0014edb8 : nt!NtDeviceIoControlFile+0x56
ffff808c`d8546a90 00007ffa`f510d0c4 : 00007ffa`f2b2591b 00000002`0000000c 00007ffa`f50c0101 00008f0a`937445a9 : nt!KiSystemServiceCopyEnd+0x25
00000000`0014fdc8 00007ffa`f2b2591b : 00000002`0000000c 00007ffa`f50c0101 00008f0a`937445a9 00007ffa`f2fd5985 : ntdll!NtDeviceIoControlFile+0x14
00000000`0014fdd0 00007ffa`f3295921 : 00000000`00220420 00000000`00000000 00000000`0014fe60 00007ffa`00000000 : KERNELBASE!DeviceIoControl+0x6b
00000000`0014fe40 00007ff6`e8b610fc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!DeviceIoControlImplementation+0x81
00000000`0014fe90 00007ff6`e8b61350 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : poc!main+0x8c

FabulaTech USB over Network Client DOS Vulnerability

Basic Info

Proof Of Concept

attachment