MSI Afterburner v4.6.5.16370 - KM Leak
Discovered by

Offensive Team, Fluid Attacks
Summary
Full name
MSI Afterburner v4.6.5.16370 - Kernel Memory Leak
Code name
State
Public
Release date
6 de mar. de 2024
Affected product
MSI Afterburner
Vendor
Micro-Star INT'L CO.
Affected version(s)
Version 4.6.5.16370
Vulnerability name
Kernel Memory Leak
Vulnerability type
Remotely exploitable
No
CVSS v3.0 vector string
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H
CVSS v3.0 base score
5.6
Exploit available
Yes
CVE ID(s)
Description
MSI Afterburner v4.6.5.16370 is vulnerable to a Kernel Memory Leak vulnerability by triggering the 0x80002040
IOCTL code of the RTCore64.sys
driver.
Vulnerability
The 0x80002040
IOCTL code of the RTCore64.sys
driver allows map up to 0x20000
of a physical address from range 0xC0000
to 0xE0000
on a non-paged virtual kernel memory range whose address can be leaked. That physical range is commonly used to store BIOS information of the device's motherboard.
The handling decompiled code of the 0x80002040
IOCTL starts with:
At [1]
a check is made on the InputBufferLength
parameter of the IOCTL request call. If it's equal to 0x30
bytes, the function sub_11388
is called at [2]
with the SystemBuffer
as a parameter.
Inside sub_11388
, a call to sub_11044
is performed and the code checks if the returned value is not NULL
:
The only condition that returns not NULL at sub_11044
is:
After that check the code that follows on sub_11388
is:
At [1]
the code uses MmMapIoSpace()
to map the physical address range from 0xC0000
up to the offset passed on SystemBuffer + 0x10
. At [2]
the code writes to SystemBuffer + 0x8
the address returned by MmMapIoSpace()
.
A snipped of the Proof-of-Concept that passes all the checks is:
The output of the Proof-of-Concept is:
In the debugging session, the contents of the mapped address can be seen. It contains strings like VESA
and VBE2
which are part of the BIOS of the GPU's motherboard used. The mapped address is also executable E(1)
and writable W(1)
:
Our security policy
We have reserved the ID CVE-2024-1460 to refer to this issue from now on.
System Information
Version: MSI Afterburner v4.6.5.16370
Operating System: Windows
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://us.msi.com/
Product page https://www.msi.com/Landing/afterburner/graphics-cards
Timeline
8 de fev. de 2024
Vulnerability discovered
23 de fev. de 2024
Vendor contacted
6 de mar. de 2024
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.