Discussion:
[a.s.s] & [s.c] How serious is this DriveCrypt vulnerability??
(too old to reply)
Jolenne
2011-06-11 09:39:31 UTC
Permalink
I am not well versed in programming, all I know is that a security
vulnerability has been found in DCPP but I am unable to work out how serious it
is and what implications it has for my data, could anyone with knowledge tell
me how serious this bug is?

What does exactly mean for the user that execution of arbitrary code can be
executed in the kernel? All I want to know is if my data is safe using
DriveCrypt full disk encryption or I must get something else, thank you.

---------------------
Secunia Advisory SA42881
DriveCrypt "DCR.sys" IOCTL Handling Privilege Escalation Vulnerability

http://secunia.com/advisories/42881

Description

A vulnerability has been discovered in DriveCrypt, which can be exploited by
malicious, local users to gain escalated privileges.

The vulnerability is caused due to an error in the "DCR.sys" driver when
processing IOCTLs and can be exploited to corrupt memory via a specially
crafted 0x00073800 IOCTL.

Successful exploitation allows execution of arbitrary code in the kernel.

The vulnerability is confirmed in version 5.4. Other versions may also be
affected.
Shaun
2011-06-13 11:59:27 UTC
Permalink
Hi,

It's been fixed in DC5.5

This by the way ISN'T the full disk encryption product DCPP which to
my knowledge has no such problem.

"DCR.sys" is the device driver for DriveCrypt, not DriveCrypt Plus
Pack.

It isn't an encryption flaw. The IOCTL interface could be leveraged to
elevate a client task to admin status, by the deployment of a buffer
over-run.

Regards,
Shaun.
Post by Jolenne
I am not well versed in programming, all I know is that a security
vulnerability has been found in DCPP but I am unable to work out how serious it
is and what implications it has for my data, could anyone with knowledge tell
me how serious this bug is?
What does exactly mean for the user that execution of arbitrary code can be
executed in the kernel? All I want to know is if my data is safe using
DriveCrypt full disk encryption or I must get something else, thank you.
---------------------
Secunia Advisory SA42881
DriveCrypt "DCR.sys" IOCTL Handling Privilege Escalation Vulnerability
http://secunia.com/advisories/42881
Description
A vulnerability has been discovered in DriveCrypt, which can be exploited by
malicious, local users to gain escalated privileges.
The vulnerability is caused due to an error in the "DCR.sys" driver when
processing IOCTLs and can be exploited to corrupt memory via a specially
crafted 0x00073800 IOCTL.
Successful exploitation allows execution of arbitrary code in the kernel.
The vulnerability is confirmed in version 5.4. Other versions may also be
affected.
John Smith
2011-06-20 01:23:55 UTC
Permalink
Post by Shaun
Hi,
It's been fixed in DC5.5
This by the way ISN'T the full disk encryption product DCPP which to
my knowledge has no such problem.
"DCR.sys" is the device driver for DriveCrypt, not DriveCrypt Plus
Pack.
It isn't an encryption flaw. The IOCTL interface could be leveraged to
elevate a client task to admin status, by the deployment of a buffer
over-run.
Regards,
Shaun.
Post by Jolenne
I am not well versed in programming, all I know is that a security
vulnerability has been found in DCPP but I am unable to work out how serious it
is and what implications it has for my data, could anyone with knowledge tell
me how serious this bug is?
What does exactly mean for the user that execution of arbitrary code can be
executed in the kernel? All I want to know is if my data is safe using
DriveCrypt full disk encryption or I must get something else, thank you.
---------------------
Secunia Advisory SA42881
DriveCrypt "DCR.sys" IOCTL Handling Privilege Escalation Vulnerability
http://secunia.com/advisories/42881
Description
A vulnerability has been discovered in DriveCrypt, which can be exploited by
malicious, local users to gain escalated privileges.
The vulnerability is caused due to an error in the "DCR.sys" driver when
processing IOCTLs and can be exploited to corrupt memory via a specially
crafted 0x00073800 IOCTL.
Successful exploitation allows execution of arbitrary code in the kernel.
The vulnerability is confirmed in version 5.4. Other versions may also be
affected.
Program (DC) has to actually be running for this exploit to have any
bearing if any, true?
Shaun Hollingworth
2011-06-22 10:05:00 UTC
Permalink
Post by John Smith
Program (DC) has to actually be running for this exploit to have any
bearing if any, true?
No, the device driver has to be properly installed that's all.

The problem is generally confined to W7 and Vista because XP users
generally run their machines in an admin mode anyway, and such
elevation is not possible on that machine in the same way.

New modifications have removed this IOCTL completely and other fixes
involve requiring DC gui to be elevated for certain operations.

Regards,
Shaun.

Loading...