===============================ADVISORY=============================== Advisory: Data Encryption Systems - DESLock+ - Local Kernel Code Execution/Denial of Service Advisory ID: DSEC-2011-0002 Author: Neil Kettle, Digit Security Ltd Affected Software: Data Encryption Systems - DESLock+ Vendor URL: http://www.deslock.com Vendor Status: unpatched Category: Denial of Service/Privilege Escalation Date Reported: 2008/07/31 Last Modified: 2011/02/08 Release Date: 2011/02/08 ===============================ADVISORY=============================== Description ----------- A vulnerability has been discovered in one of Data Encryption Systems DESLock+ kernel drivers, an attacker exploiting this vulnerability may execute arbitrary code with kernel mode privileges, or cause a Denial of Service attack via a page fault caused by an invalid pointer dereference. Data Encryption Systems Ltd received the best "Encryption Solution of the Year" at "The Computing Security Awards 2010", http://www.computingsecurityawards.co.uk/ Analysis -------- A vulnerability exists due to the improper validation of a user- supplied pointer within a structure passed as argument to the IOCTL interface exported from the globally accessible “\\.\DLPTokenWalter0” device. Exploitation ------------ An exploit will be made available to the public in due course at the following URL, http://www.digit-labs.org/files/exploits/deslock-vdlptokn.c http://www.digit-security.com/research.php An updated version of the exploit that targets DESLock+ > 4.1.10 will be made available shortly. Technologies Affected ------------------------------ Data Encryption Systems - DESLock+ (3.2.7, <= 4.1.12) Vendor Response ------------------------------ The same vulnerability has persisted within DESLock + for over 2 years, and despite numerous Data Encryption Systems’s attempts to rectify the issue, all attempts have fallen short of being sufficient to negate exploitation. While we endeavour to contact all vendors prior to release of any vulnerability information, it should be noted that every attempt made to contact Data Encryption Systems and inform them of the vulnerability (and many other vulnerabilities) either results in no response, or, an ‘unfavourable’ response. Disclosure Timeline ------------------------------ 31th July 2008 – Vendor Disclosure Credits ------------------------------ Neil Kettle of Digit Security Ltd Thanks ------------------------------ David Tomlinson of Data Encryption Systems Ltd for the encouragement to continue searching through DESLock+. About Digit Security Ltd ---------------------------------- Digit Security is a computer security consultancy based in the United Kingdom, albeit with a slight difference. The company is a co-operatively controlled entity comprised of professionals who are experts in their respective fields. Thus, as a corollary, nearly everyone at Digit Security is a both a Consultant, Developer and a Director (although we prefer the term 'equal'). Web: www.digit-security.com Email: research@digit-security.com