View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000156SpeedFanOtherpublic2004-12-22 02:222005-05-04 19:57
Reporterhlt Assigned Toalfredo  
PrioritynormalSeverityfeatureReproducibilityalways
Status acknowledgedResolutionopen 
PlatformNT 
Summary0000156: security issue in giveio driver
Descriptiongiveio driver creates a device which is accessible to Everyone by default, thereby it allows local privilege elevation or denial-of-service attacks.
Steps To Reproduceinstall speedfan; launch a program under guest account which opens \\.\giveio and then writes anything to hdd using io port access (or rewrites kernel code using DMA controller's memory copy function).
In a more simple case (for local DoS attack) it could just write FE to port 64.
Additional Informationthe attached diff file contains changes required to secure the device object created by giveio driver. If you think that for some systems it's desirable to allow non-privileged users access to SpeedFan features, you may consider making it an installer option either by including both driver versions (probably bad idea) or by implementing a configuration key in giveio registry settings.
TagsNo tags attached.
Motherboard Model
Video Card Model

Activities

2004-12-22 02:22

 

secure_giveio_diff.txt (1,102 bytes)    
diff -u GIVEIO.orig/GIVEIO.C GIVEIO.secure/GIVEIO.C
--- GIVEIO.orig/GIVEIO.C	1996-04-03 21:30:58.000000000 +0400
+++ GIVEIO.secure/GIVEIO.C	2004-07-24 17:19:13.207861700 +0400
@@ -9,6 +9,7 @@
 
 *********************************************************************/
 #include <ntddk.h>
+#include <wdmsec.h>
 
 /*
  *  The name of our device driver.
@@ -144,10 +145,10 @@
 	RtlInitUnicodeString(&uniNameString, NameBuffer);
 	RtlInitUnicodeString(&uniDOSString, DOSNameBuffer);
 
-	status = IoCreateDevice(DriverObject, 0,
-					&uniNameString,
-					FILE_DEVICE_UNKNOWN,
-					0, FALSE, &deviceObject);
+	status = IoCreateDeviceSecure(DriverObject, 0,
+		&uniNameString,
+		FILE_DEVICE_UNKNOWN,
+		0, FALSE, &SDDL_DEVOBJ_SYS_ALL_ADM_ALL, NULL, &deviceObject);
 
 	if(!NT_SUCCESS(status))
 		return status;
diff -u GIVEIO.orig/SOURCES GIVEIO.secure/SOURCES
--- GIVEIO.orig/SOURCES	1996-04-03 21:32:10.000000000 +0400
+++ GIVEIO.secure/SOURCES	2004-07-24 16:49:56.127251400 +0400
@@ -4,4 +4,5 @@
 
 INCLUDES=c:\ddk\inc
 
+TARGETLIBS=$(DDK_LIB_PATH)\wdmsec.lib
 SOURCES=giveio.c
secure_giveio_diff.txt (1,102 bytes)   

alfredo

2005-05-04 19:57

manager   ~0000866

The latest version of SpeedFan starts a migration to speedfan.sys. You can safely remove or disable giveio.sys and SpeedFan will work with no problem.

Issue History

Date Modified Username Field Change
2004-12-22 02:22 hlt New Issue
2004-12-22 02:22 hlt File Added: secure_giveio_diff.txt
2005-05-04 19:57 alfredo Note Added: 0000866
2005-05-04 19:57 alfredo Status assigned => acknowledged