Lucene search

Talos IntelligenceTALOS-2021-1252

HistoryJul 07, 2021 - 12:00 a.m.

IOBit Advanced SystemCare Ultimate exposed IOCTL 0x9c40a148 vulnerability

2021-07-0700:00:00

Talos Intelligence

www.talosintelligence.com

iobit advanced systemcare

14.2.0.220

ioctl vulnerability

information disclosure

unprivileged user

device control

sensitive information

vendor follow up

public release

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

17.8%

JSON

Summary

An information disclosure vulnerability exists in the IOCTL 0x9c40a148 handling of IOBit Advanced SystemCare Ultimate 14.2.0.220. A specially crafted I/O request packet (IRP) can lead to a disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.

Tested Versions

IOBit Advanced SystemCare Ultimate 14.2.0.220

Product URLs

<https://www.iobit.com/>

CVSSv3 Score

6.5 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-782 - Exposed IOCTL with Insufficient Access Control

Details

IOBit Advanced SystemCare Ultimate provides a solution for keeping track of running services, processes that are using a large amount of memory, software updates, and the ability to update drivers to latest versions.

Advanced SystemCare also provides a monitoring driver to help faciltate its tasks. This driver creates \Device\IOBIT_WinRing0_1_3_0 which is readable and writable to everyone. The driver also provides a callback for handling IRP_MJ_DEVICE_CONTROL requests to the driver.

The driver used in this analysis is below:

Monitor_win10_x64.sys e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb

During IOCTL 0x9c40a148, unprivileged user controlled data is passed to the HalSetBusDataByOffset function. This data is not constrained, giving the unprivileged user the ability to read any I/O device’s configuration and device specific registers. The reading of this information can lead to the disclosure of sensitive information to the user.

    Monitor_win10_x64.sys+0x112ad
    
    case 0x9C40A148:
      v14 = v4-&gt;Parameters.DeviceIoControl.InputBufferLength;
      if ( v14 &lt; 8 )
      {
        v5 = 0xC000000D;
        goto LABEL_65;
      }
      input_buffer_3 = a2-&gt;AssociatedIrp.SystemBuffer;
      *(_DWORD *)iostatus_info = 0;
      v5 = v14 - 8 != HalSetBusDataByOffset(
                        PCIConfiguration,
                        (unsigned __int8)BYTE1(*(_DWORD *)input_buffer_3),
                        (32 * (*(_DWORD *)input_buffer_3 & 7)) | ((unsigned __int8)*(_DWORD *)input_buffer_3 &gt;&gt; 3),
                        (char *)input_buffer_3 + 8,
                        *((_DWORD *)input_buffer_3 + 1),
                        v14 - 8) ? 0xE0000003 : 0;
      break;

Timeline

2021-03-10 - Follow up with vendor
2021-04-30 - 2nd follow up with vendor
2021-05-17 - 3rd follow up with vendor
2021-06-27 - Final follow up with vendor
2021-07-07 - Public release

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

17.8%

JSON

Related for TALOS-2021-1252