The package contains demo of an attack on driver's format string vulnerability. The demo is intended only for Windows 2000. For install demo: 1. logon as administrator 2. unpack fsedemo.zip 3. start install.bat that copies fse1.sys driver to %SystemRoot%\system32\drivers, register and start Fse driver 4. start fsetest.exe and follow its hints 5. logon as normal user (or use 'runas') 6. try access files that have access allowed only for administrators Note do not forget uninstall driver after test. For uninstall demo start uninstall.bat. The problem description Many NT drivers are potentially vulnerable to "format string bug". The problem is concerned with DbgPrint function that is used for debug messages. Some drivers instead of directly call of this function use additional intermediate functions. Those functions add a prefix to an outputted string, resolve a string format and pass the final string to DbgPrint. Note the DbgPrint also additionally resolves format specifications. A typical intermediate function looks like this: void DebugMessage(const char * format, ...) { char buf[1024]; int outLen; ULONG PrefLen; va_list argptr; strcpy(buf, "DriverName: "); PrefLen = strlen(buf); va_start( argptr, format ); outLen = _vsnprintf( buf+PrefLen, sizeof(buf)-PrefLen, format, argptr ); va_end( argptr ); DbgPrint(buf); } As you can see it looks like clean code. But since DbgPrint function uses string format resolving the DebugMessage function is vulnerable. So the following function call is vulnerable: DebugMessage("MajorFunction = %d, filename = "%-*S\n", CurrentLocation->MajorFunction, FileObject->FileName. Length, FileObject->FileName.Buffer); All drivers that use such technique and retain the debug messages in the release build are potentially vulnerable to format string behaviors. Unfortunately researching on this problem shows that many drivers use it. For example, NuMega's DriverWorks has a potentially vulnerable class KTrace. In consequence all drivers written with DriverWorks KTrace class and debug messages in the release build are potentially vulnerable. The isapnp.sys driver coming with Windows 2000 also use such technique. The bug is highly dangerous because it can leads to a possible patch of the kernel memory. You can download the attack sample from http://www.securesize.com/Resources/. The example contains a simple vulnerable driver that calls DebugMessage as described above and a small user mode program that exploits a driver vulnerability to patch the kernel. The patch allows bypass all the system security checks. Thus any user can gain full access for any file, install and start drivers and so on. The solution is following construction: #define S (&format) DbgPrint(format, S[1], S[2], S[3], S[4], S[5]); #undef S or DbgPrint("%s", buf); Use this construction instead of vsprintf. Notes to: andr at securesize com