RTCore functionality exposed through IOCTLs: Read/write physical memory (ZwMapViewOfSection of “\\Device\\PhysicalMemory”) WinIO functionality exposed through IOCTLs: HalGetBusDataByOffset / HalSetBusDataByOffset Read write MSR registers (using rdmsr/wrmsr opcodes) Read/write physical memory (using MmMapIoSpace) NTIOLib functionality exposed through IOCTLs: Actually when I was verifying list of affected software, I’ve found third driver that is doing exactly the same thing, just have a bit different interface and name (RTCore32.sys / RTCore64.sys). Since both drivers expose physical memory access to the unprivileged users, I decided to put it into one report (I’ll describe the technical differences later). WinIO.sys is completely different driver and is installed with Dragon Gaming Center application, which is part of the software package for MSI notebooks. NTIOLib.sys is installed with a few different MSI utilities that are part of the software package for MSI motherboards and graphic cards. #Exploit Title: MSI NTIOLib.sys, WinIO.sys local privilege escalation
0 Comments
Leave a Reply. |