CVE-2014-2382

Vulnerability

The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterprise versions 8.10 and earlier contains a vulnerability where it calls the IofCallDriver function without validating parameters. The driver expects a DEVICE_OBJECT structure pointer, but a crafted IOCTL request can cause the pointer to be zero, allowing an attacker who can allocate the NULL page to control memory at address 0x08 and redirect execution [1][2].

Exploitation

To exploit, a local attacker with administrator privileges sends a specially crafted IOCTL request. The attacker must first allocate the NULL page, then write controlled data to address 0x08. The driver uses unvalidated values from the IRP function code (stored in EAX) in a call table lookup CALL DWORD [ESI+EAX*4+38], where ESI is read from the attacker-controlled NULL page. This gives the attacker full control over EIP. The exploit has been verified on Windows XP SP3 and Windows 7 SP0 (32-bit) [1][2].

Impact

Successful exploitation allows arbitrary code execution with kernel privileges. The attacker can crash the system (denial of service) or execute malicious code without needing another kernel-mode driver. The vulnerability does not allow vertical privilege escalation because only administrator accounts can send IOCTL requests by default [1][2].

Mitigation

No official fixed version has been released by Faronics. The vendor was contacted but no patch was provided. Administrators should restrict local administrative access to trusted users only, as the attack requires administrative privileges. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].