Powered by ACTIVECYBER, LLC
Powered by ACTIVECYBER, LLC
Recently, we found a Kernel logic bug in Viper RGB software version 1.0 which is used to manage Viper Gaming DRAM memory modules. The affected component of said software was MsIo64.sys/MsIo32.sys driver which was then utilized to achieve Local Privilege Escalation. The following is the process used to identify and exploit the security vulnerability. Let’s start off by examining the device permissions.
As you can see above the “Everyone” group has “All Access” permissions, meaning any low privileged process in user land can interact with the device driver and as such the next logical step was to reverse engineer the “MsIo” driver looking for bugs. During that process we first located the IOCTL dispatch routine, this routine consists of all available IOCTLs and the corresponding code paths that we can potentially hit from user land.
Going through the dispatch routine function we identify an interesting IOCTL code path, that is 0x80102040.
Following the branch, we notice a call to memmove() at offset 0x1623.
Using WinDbg we determine that the length and contents of the input buffer which we control via DeviceIoControl() will end up as the source and size parameters for memmove() function call. The following is the result of sending a QWORD value of 0x4141414141414141 as an input buffer.
Continuing down that path we reach another function call which we renamed to “IOCTL_MSIO_MAPPHYSTOLIN” based on the string provided by RCX parameter for DbgPrint() function call at offset 0x160b in the previous listing screenshot. The function takes RDX which holds the input buffer contents as second argument and then uses it for the “CommitSize” parameter at the start of said function.
And then a call to ZwOpenSection() function is initiated to open section handle to “\Device\PhysicalMemory” via the “OBJECT_ATTRIBUTES” structure.
Lastly, the “CommitSize” provided by the input buffer is used in ZwMapViewOfSection() function call to map the previously allocated section handle into the calling process.
In summary, we can access an arbitrary physical memory from a low privileged process which ultimately leads to elevation of privileges by locating “EPROCESS” structures within the mapped physical memory range and conduct a token stealing attack against any process with “NT AUTHORITY\SYSTEM” privileges. The following is a demonstration of working exploit for Windows 7 and Windows 10 machines respectively.
Please note that the above exploits were heavily based on prior work done by b33f in the Razer Kernel driver bug found here. At that point we sent the vulnerability details to the vendor and a patch was released in version 1.1 addressing this vulnerability.
Feel free to reach out at firstname.lastname@example.org if you have any questions. Also, see the link here for complete list of ACTIVELabs advisories.
ACTIVELabs was created in 2018 to hunt and research undiscovered vulnerabilities, report them to vendors via responsible disclosure programs, publish advisories, develop and validate new patches, and to share this information for the advancement of the cybersecurity community. ACTIVELabs was established with the mission of securing our ever-growing client base, partnerships, and the technology community as a whole.
We are actively providing the community with verified findings and research that leads to the creation of new Common Vulnerabilities and Exposures (CVEs) and updates to the National Vulnerability Database (NVD). For a full listing of all of our Advisories, visit our GitHub page here.