[IOBit][Protected Folder][pffilter][0x22200C][NPD][DOS]

IOBit Protected Folder DOS Vulnerability

Basic Info

Vendor: IOBit

Software：

Name: Protected Folder
Version: V1.3.0
Download Page: https://www.iobit.com/en/password-protected-folder.php

Vulnerable Component:

File: pffilter.sys
File Version: 4.2.0.1

Vuln Type: Null Pointer Dereference

Description:

pffilter.sys allows all users in Everyone Group to interact with it. When process IOCTL 0x22200c, it doesn't check the address of the input buffer, an attacker with low privilege can trigger this vulnerability and cause BSOD in the Windows system.

Proof Of Concept

Test OS Version: Windows 10, 19041.vb_release.191206-1406

click poc.exe to trigger this issue
cause a BSOD of Windows system

CONTEXT:  ffff808cd871dda0 -- (.cxr 0xffff808cd871dda0)
rax=0000000000000081 rbx=00000000c000000d rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=ffffd702f40a8770
rip=fffff806743948dd rsp=ffff808cd871e7a0 rbp=ffffd702f7392920
 r8=0000000000000000  r9=0000000000000004 r10=fffff8067439479c
r11=0000000000000000 r12=0000000000000000 r13=ffffd702f447de10
r14=0000000000000001 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050286
pffilter+0x48dd:
fffff806`743948dd 8801            mov     byte ptr [rcx],al ds:002b:00000000`00000000=??
Resetting default scope

STACK_TEXT:
ffff808c`d871e7a0 fffff806`59a49cf5 : 00000000`00000002 ffffd702`f7392920 00000000`00000000 00000000`00000000 : pffilter+0x48dd
ffff808c`d871e7f0 fffff806`59e592ac : 00000000`00000001 00000000`0022200c ffffd702`f7392920 00000000`00000000 : nt!IofCallDriver+0x55
ffff808c`d871e830 fffff806`59e58f03 : ffffd702`00000000 ffff808c`d871eb80 00000000`00000000 00000000`0022200c : nt!NtDeviceIoControlFile+0x112c
ffff808c`d871e8d0 fffff806`59e581d6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0xd83
ffff808c`d871ea20 fffff806`59c25235 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0014ee08 : nt!NtDeviceIoControlFile+0x56
ffff808c`d871ea90 00007ffa`f510d0c4 : 00007ffa`f2b2591b 00000002`0000000c 00007ffa`f50c0101 00008cb5`fd9f84ca : nt!setjmpex+0x83f5
00000000`0014fdc8 00007ffa`f2b2591b : 00000002`0000000c 00007ffa`f50c0101 00008cb5`fd9f84ca 00007ffa`f2fd5985 : ntdll!NtDeviceIoControlFile+0x14
00000000`0014fdd0 00000002`0000000c : 00007ffa`f50c0101 00008cb5`fd9f84ca 00007ffa`f2fd5985 00000000`0014fe20 : KERNELBASE!DeviceIoControl+0x6b

attachment

pffilter.sys