{"id": "TALOS-2021-1252", "vendorId": null, "type": "talos", "bulletinFamily": "info", "title": "IOBit Advanced SystemCare Ultimate exposed IOCTL 0x9c40a148 vulnerability", "description": "### Summary\n\nAn information disclosure vulnerability exists in the IOCTL 0x9c40a148 handling of IOBit Advanced SystemCare Ultimate 14.2.0.220. A specially crafted I/O request packet (IRP) can lead to a disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.\n\n### Tested Versions\n\nIOBit Advanced SystemCare Ultimate 14.2.0.220\n\n### Product URLs\n\n<https://www.iobit.com/>\n\n### CVSSv3 Score\n\n6.5 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\n\n### CWE\n\nCWE-782 - Exposed IOCTL with Insufficient Access Control\n\n### Details\n\nIOBit Advanced SystemCare Ultimate provides a solution for keeping track of running services, processes that are using a large amount of memory, software updates, and the ability to update drivers to latest versions.\n\nAdvanced SystemCare also provides a monitoring driver to help faciltate its tasks. This driver creates `\\Device\\IOBIT_WinRing0_1_3_0` which is readable and writable to everyone. The driver also provides a callback for handling `IRP_MJ_DEVICE_CONTROL` requests to the driver.\n\nThe driver used in this analysis is below:\n\nMonitor_win10_x64.sys e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb\n\nDuring IOCTL `0x9c40a148`, unprivileged user controlled data is passed to the `HalSetBusDataByOffset` function. This data is not constrained, giving the unprivileged user the ability to read any I/O device\u2019s configuration and device specific registers. The reading of this information can lead to the disclosure of sensitive information to the user.\n \n \n Monitor_win10_x64.sys+0x112ad\n \n case 0x9C40A148:\n v14 = v4->Parameters.DeviceIoControl.InputBufferLength;\n if ( v14 < 8 )\n {\n v5 = 0xC000000D;\n goto LABEL_65;\n }\n input_buffer_3 = a2->AssociatedIrp.SystemBuffer;\n *(_DWORD *)iostatus_info = 0;\n v5 = v14 - 8 != HalSetBusDataByOffset(\n PCIConfiguration,\n (unsigned __int8)BYTE1(*(_DWORD *)input_buffer_3),\n (32 * (*(_DWORD *)input_buffer_3 & 7)) | ((unsigned __int8)*(_DWORD *)input_buffer_3 >> 3),\n (char *)input_buffer_3 + 8,\n *((_DWORD *)input_buffer_3 + 1),\n v14 - 8) ? 0xE0000003 : 0;\n break;\n \n\n### Timeline\n\n2021-03-10 - Follow up with vendor \n2021-04-30 - 2nd follow up with vendor \n2021-05-17 - 3rd follow up with vendor \n2021-06-27 - Final follow up with vendor \n2021-07-07 - Public release\n", "published": "2021-07-07T00:00:00", "modified": "2021-07-07T00:00:00", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "LOW", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1252", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2021-21785"], "immutableFields": [], "lastseen": "2022-01-26T11:42:08", "viewCount": 48, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-21785"]}], "rev": 4}, "score": {"value": 5.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-21785"]}]}, "exploitation": null, "vulnersScore": 5.8}, "_state": {"dependencies": 1646007359}}

{"cve": [{"lastseen": "2022-04-28T19:32:20", "description": "An information disclosure vulnerability exists in the IOCTL 0x9c40a148 handling of IOBit Advanced SystemCare Ultimate 14.2.0.220. A specially crafted I/O request packet (IRP) can lead to a disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-08-05T21:15:00", "type": "cve", "title": "CVE-2021-21785", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21785"], "modified": "2022-04-28T17:15:00", "cpe": ["cpe:/a:iobit:advanced_systemcare_ultimate:14.2.0.220"], "id": "CVE-2021-21785", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21785", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:iobit:advanced_systemcare_ultimate:14.2.0.220:*:*:*:*:*:*:*"]}]}