===============================ADVISORY===============================
Advisory:          Data Encryption Systems - DESLock+ - Local Kernel
                   Code Execution/Denial of Service
Advisory ID:       DSEC-2011-0002
Author:            Neil Kettle, Digit Security Ltd
Affected Software: Data Encryption Systems - DESLock+
Vendor URL:        http://www.deslock.com
Vendor Status:     unpatched
Category:          Denial of Service/Privilege Escalation
Date Reported:     2008/07/31
Last Modified:     2011/02/08
Release Date:      2011/02/08
===============================ADVISORY===============================

Description
-----------
A vulnerability has been discovered in one of Data Encryption Systems
DESLock+ kernel drivers, an attacker exploiting this vulnerability may
execute arbitrary code with kernel mode privileges, or cause a Denial
of Service attack via a page fault caused by an invalid pointer
dereference.

Data Encryption Systems Ltd received the best "Encryption Solution of
the Year" at "The Computing Security Awards 2010",

http://www.computingsecurityawards.co.uk/

Analysis
--------
A vulnerability exists due to the improper validation of a user-
supplied pointer within a structure passed as argument to the IOCTL
interface exported from the globally accessible “\\.\DLPTokenWalter0”
device.

Exploitation
------------
An exploit will be made available to the public in due course at the
following URL,

  http://www.digit-labs.org/files/exploits/deslock-vdlptokn.c
  http://www.digit-security.com/research.php

An updated version of the exploit that targets DESLock+ > 4.1.10 will
be made available shortly.

Technologies Affected
------------------------------
Data Encryption Systems - DESLock+ (3.2.7, <= 4.1.12)


Vendor Response
------------------------------
The same vulnerability has persisted within DESLock + for over 2 years,
and despite numerous Data Encryption Systems’s attempts to rectify the
issue, all attempts have fallen short of being sufficient to negate
exploitation. While we endeavour to contact all vendors prior to release
of any vulnerability information, it should be noted that every attempt
made to contact Data Encryption Systems and inform them of the
vulnerability (and many other vulnerabilities) either results in no
response, or, an ‘unfavourable’ response.


Disclosure Timeline
------------------------------
31th July 2008 – Vendor Disclosure


Credits
------------------------------
Neil Kettle of Digit Security Ltd

Thanks
------------------------------
David Tomlinson of Data Encryption Systems Ltd for the encouragement
to continue searching through DESLock+.


About Digit Security Ltd
----------------------------------
Digit Security is a computer security consultancy based in the United
Kingdom, albeit with a slight difference. The company is a co-operatively
controlled entity comprised of professionals who are experts in their
respective fields. Thus, as a corollary, nearly everyone at Digit Security
is a both a Consultant, Developer and a Director (although we prefer the
term 'equal').

Web:        www.digit-security.com
Email:      research@digit-security.com