IOBit Advanced SystemCare Ultimate exposed IOCTL 0x9c40a148 vulnerability

ID TALOS-2021-1252
Type talos
Reporter Talos Intelligence
Modified 2021-07-07T00:00:00



An information disclosure vulnerability exists in the IOCTL 0x9c40a148 handling of IOBit Advanced SystemCare Ultimate A specially crafted I/O request packet (IRP) can lead to a disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.

Tested Versions

IOBit Advanced SystemCare Ultimate

Product URLs


CVSSv3 Score

6.5 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N


CWE-782 - Exposed IOCTL with Insufficient Access Control


IOBit Advanced SystemCare Ultimate provides a solution for keeping track of running services, processes that are using a large amount of memory, software updates, and the ability to update drivers to latest versions.

Advanced SystemCare also provides a monitoring driver to help faciltate its tasks. This driver creates \Device\IOBIT_WinRing0_1_3_0 which is readable and writable to everyone. The driver also provides a callback for handling IRP_MJ_DEVICE_CONTROL requests to the driver.

The driver used in this analysis is below:

Monitor_win10_x64.sys e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb

During IOCTL 0x9c40a148, unprivileged user controlled data is passed to the HalSetBusDataByOffset function. This data is not constrained, giving the unprivileged user the ability to read any I/O device’s configuration and device specific registers. The reading of this information can lead to the disclosure of sensitive information to the user.


    case 0x9C40A148:
      v14 = v4-&gt;Parameters.DeviceIoControl.InputBufferLength;
      if ( v14 &lt; 8 )
        v5 = 0xC000000D;
        goto LABEL_65;
      input_buffer_3 = a2-&gt;AssociatedIrp.SystemBuffer;
      *(_DWORD *)iostatus_info = 0;
      v5 = v14 - 8 != HalSetBusDataByOffset(
                        (unsigned __int8)BYTE1(*(_DWORD *)input_buffer_3),
                        (32 * (*(_DWORD *)input_buffer_3 & 7)) | ((unsigned __int8)*(_DWORD *)input_buffer_3 &gt;&gt; 3),
                        (char *)input_buffer_3 + 8,
                        *((_DWORD *)input_buffer_3 + 1),
                        v14 - 8) ? 0xE0000003 : 0;


2021-03-10 - Follow up with vendor
2021-04-30 - 2nd follow up with vendor
2021-05-17 - 3rd follow up with vendor
2021-06-27 - Final follow up with vendor
2021-07-07 - Public release