[FabulaTech][USB over Network Client][ftusbbus2][0x220448][NPD][DOS]

FabulaTech USB over Network Client DOS Vulnerability

Basic Info

Vendor: FabulaTech

Software：

Name: USB over Network Client
Version: 6.0.6.1
Download Page: https://www.usb-over-network.com/usb-over-network-download.html

Vulnerable Component:

File: ftusbbus2.sys
File Version: 5.1.26.0

Vuln Type: Null Pointer Dereference

Description:

ftusbbus2.sys allows all users in Everyone Group to interact with it. When process IOCTL 0x220448, it doesn't check the address of the input buffer, an attacker with low privilege can trigger this vulnerability and cause BSOD in the Windows system.

Proof Of Concept

Test OS Version: Windows 10, 19041.vb_release.191206-1406

click poc.exe to trigger this issue
cause a BSOD of Windows system

CONTEXT:  ffff808cd8b40d50 -- (.cxr 0xffff808cd8b40d50)
rax=0000000000000000 rbx=0000000000000000 rcx=ffffd702f38ed080
rdx=ffffd702f3b156d8 rsi=ffffd702f3b156d8 rdi=ffffd702f3b15690
rip=fffff806743910d6 rsp=ffff808cd8b41750 rbp=ffffd702f64633f0
 r8=ffff808cd8b41760  r9=ffffd702f34899e8 r10=000000000022200b
r11=0000000000000000 r12=ffffd702f3489908 r13=ffffd702f3b15540
r14=0000000000000001 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050286
ftusbbus2+0x10d6:
fffff806`743910d6 8b03            mov     eax,dword ptr [rbx] ds:002b:00000000`00000000=????????
Resetting default scope

PROCESS_NAME:  poc.exe

STACK_TEXT:
ffff808c`d8b41750 fffff806`7439b3b7 : 00000000`c0000010 ffffd702`f64633f0 ffffd702`f3b15690 fffff806`59e5a2c1 : ftusbbus2+0x10d6
ffff808c`d8b41790 fffff806`59a49cf5 : ffffd702`00000000 ffffd702`f34898d0 ffffd702`f3b15690 00000000`00000002 : ftusbbus2+0xb3b7
ffff808c`d8b417f0 fffff806`59e592ac : 00000000`00000001 00000000`00220448 ffffd702`f64633f0 00000000`00000000 : nt!IofCallDriver+0x55
ffff808c`d8b41830 fffff806`59e58f03 : ffffd702`00000000 ffff808c`d8b41b80 00000000`00010000 00000000`00220448 : nt!IopSynchronousServiceTail+0x34c
ffff808c`d8b418d0 fffff806`59e581d6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xd13
ffff808c`d8b41a20 fffff806`59c25235 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0014ee08 : nt!NtDeviceIoControlFile+0x56
ffff808c`d8b41a90 00007ffa`f510d0c4 : 00007ffa`f2b2591b 00000002`0000000c 00007ffa`f50c0101 0000f4bb`ff678807 : nt!KiSystemServiceCopyEnd+0x25
00000000`0014fdc8 00007ffa`f2b2591b : 00000002`0000000c 00007ffa`f50c0101 0000f4bb`ff678807 00007ffa`f2fd5985 : ntdll!NtDeviceIoControlFile+0x14
00000000`0014fdd0 00007ffa`f3295921 : 00000000`00220448 00000000`00000000 00000000`0014fe60 00007ffa`00000000 : KERNELBASE!DeviceIoControl+0x6b
00000000`0014fe40 00007ff6`ffe410fc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!DeviceIoControlImplementation+0x81
00000000`0014fe90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : poc!main+0x8c

FabulaTech USB over Network Client DOS Vulnerability

Basic Info

Proof Of Concept

attachment