Kernel driver oopsies

nefarius

Capcom Rootkit

A fresh update for Capcom's Street Fighter V for PCs includes a knock-out move: a secret rootkit that gives any installed application kernel-level privileges.

ASRock Drivers Elevation of Privilege Vulnerabilities

Multiple vulnerabilities were found in AsrDrv101.sys and AsrDrv102.sys low level drivers, installed by ASRock RGBLED and other ASRock branded utilities, which could allow a local attacker to elevate privileges.

GIGABYTE Driver Privilege Escalation

Multiple vulnerabilities were found in the GPCIDrv and GDrv drivers as bundled with several GIGABYTE and AORUS branded motherboard and graphics card utilities, which could allow a local attacker to elevate privileges. Affected versions include GIGABYTE APP Center 1.05.21 and below, AORUS GRAPHICS ENGINE 1.33 and below, XTREME GAMING ENGINE 1.25 and below, and OC GURU II 2.08.

MSI NTIOLib.sys, WinIO.sys local privilege escalation

NTIOLib.sys is installed with a few different MSI utilities that are part of the software package for MSI motherboards and graphic cards. WinIO.sys is completely different driver and is installed with Dragon Gaming Center application, which is part of the software package for MSI notebooks. Since both drivers expose physical memory access to the unprivileged users, I decided to put it into one report (I’ll describe the technical differences later). Actually when I was verifying list of affected software, I’ve found third driver that is doing exactly the same thing, just have a bit different interface and name (RTCore32.sys / RTCore64.sys).

• https://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities
• https://eclypsium.com/2019/11/12/mother-of-all-drivers/
• https://www.activecyber.us/activelabs/viper-rgb-driver-local-privilege-escalation-cve-2019-18845#