![]() I’ve started randomly poking with physical pages, just to see how it behaves. Since I don’t have much experience in this area, I decided to try above method and see if the exploitation is really straightforward. This part isn’t really that novel or interesting, so I won’t go into it here. lsass), then duplicating the Token field across to elevate your process. This can be done by scanning for EPROCESS structures within memory and identifying one, then jumping through the linked list to find your target process and a known SYSTEM process (e.g. tried contact through a friend from security team of some super-secret big corporation – also without luckĪfter ASMMAP disclosure, I’ve read that the exploitation of this kind of vulnerability is rather easy: Please don’t worry about it and the software files are secure.Anyway,we will send the information to relative department.Thanks! ![]() – tried reporting through official support channel, without any luck, final reply: sent e-mail notification to the addresses: (none of those is valid, but it was worth trying) Generally if someone owns any MSI hardware, it’s good to check if any of above drivers (or with similar name) is loaded, and if yes, just remove the application that installed it. I haven’t thoroughly inspected all MSI applications, since it’s not really possible (different version of the software for different hardware, multiple installers etc), so it’s very probable that my list doesn’t cover all cases. Some of the mentioned applications load vulnerable driver on demand, but some of them loads the driver with service startup and keeps it loaded for the whole time, thus exploitation is rather trivial. UPDATE: RTCore driver is part of RivaTuner software, so all OEM branded RivaTuner clones are vulnerable (). It’s also worth noting that WinIO driver is just compiled (and signed by MSI) version of the code that can be found here. It appears that RTCore driver is kind of hybrid between NTIOLib and WinIO. RTCore functionality exposed through IOCTLs: Read/write physical memory (ZwMapViewOfSection of “\\Device\\PhysicalMemory”) WinIO functionality exposed through IOCTLs: HalGetBusDataByOffset / HalSetBusDataByOffset Read write MSR registers (using rdmsr/wrmsr opcodes) Read/write physical memory (using MmMapIoSpace) NTIOLib functionality exposed through IOCTLs: ![]() Actually when I was verifying list of affected software, I’ve found third driver that is doing exactly the same thing, just have a bit different interface and name (RTCore32.sys / RTCore64.sys). Since both drivers expose physical memory access to the unprivileged users, I decided to put it into one report (I’ll describe the technical differences later). ![]() WinIO.sys is completely different driver and is installed with Dragon Gaming Center application, which is part of the software package for MSI notebooks. NTIOLib.sys is installed with a few different MSI utilities that are part of the software package for MSI motherboards and graphic cards. #Exploit Title: MSI NTIOLib.sys, WinIO.sys local privilege escalation ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |