Exploring malicious Windows drivers (Part 2): the I/O system, IRPs, stack locations, IOCTLs and more

This blog post is part of a multi-part series, and it is highly recommended to read the first entry here before continuing. As the second entry in our "Exploring malicious Windows drivers" series, we will continue where the first left off: Discussing the I/O system and IRPs. We will expand on the...

Canadian Furious Beaver - A Tool For Monitoring IRP Handler In Windows Drivers, And Facilitating The Process Of Analyzing, Replaying And Fuzzing Windows Drivers For Vulnerabilities

Furious Beaver is a distributed tool for capturing IRPs sent to any Windows driver. It operates in 2 parts: 1. the "Broker" combines both a user-land agent and a self-extractable driver IrpDumper.sys that will install itself on the targeted system. Once running it will expose depending on the...

CVE-2020-13514

A privilege escalation vulnerability exists in the WinRing0x64 Driver Privileged I/O Write IRPs functionality of NZXT CAM 4.8.0. A specially crafted I/O request packet IRP can cause increased privileges. Using the IRP 0x9c40a0e0 gives a low privilege user direct access to the OUT instruction that...

Privilege escalation

A privilege escalation vulnerability exists in the WinRing0x64 Driver Privileged I/O Write IRPs functionality of NZXT CAM 4.8.0. A specially crafted I/O request packet IRP can cause increased privileges. Using the IRP 0x9c40a0dc gives a low privilege user direct access to the OUT instruction that...

CVE-2020-13511

An information disclosure vulnerability exists in the WinRing0x64 Driver Privileged I/O Read IRPs functionality of NZXT CAM 4.8.0. A specially crafted I/O request packet IRP using the IRP 0x9c4060d4 gives a low privilege user direct access to the IN instruction that is completely unrestrained at ...

CVE-2020-13510

The CVE-2020-13510 entry affects NZXT CAM 4.8.0 via the WinRing0x64 driver; TALOS confirms an information-disclosure vulnerability in the Privileged I/O Read IRP path, exploited by the IRP 0x9c4060d0 to read I/O ports at elevated privileges. The vulnerability enables a low-privilege user to acces...

CVE-2020-13509

NZXT CAM 4.8.0 is affected by CVE-2020-13509 due to the WinRing0x64 driver’s Privileged I/O Read IRPs functionality. A crafted IRP (0x9c4060cc) allows a low-privilege user to perform an unrestrained IN instruction at elevated privileges, enabling potential leakage of sensitive data. Affected comp...

NZXT CAM WinRing0x64 driver privileged I/O read IRPs information disclosure vulnerability

Summary An information disclosure vulnerability exists in the WinRing0x64 Driver Privileged I/O Read IRPs functionality of NZXT CAM 4.8.0. A specially crafted I/O request packet IRP can cause the disclosure of sensitive information. An attacker can send a malicious IRP to trigger this...