Navigation

    ViGEm Forums

    • Register
    • Login
    • Search
    • Recent
    • Tags
    • Popular
    • Twitter
    • GitHub
    • Discord

    Kernel driver oopsies

    Research and Development
    1
    1
    173
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • nefarius
      nefarius last edited by nefarius

      Capcom Rootkit

      A fresh update for Capcom's Street Fighter V for PCs includes a knock-out move: a secret rootkit that gives any installed application kernel-level privileges.

      ASRock Drivers Elevation of Privilege Vulnerabilities

      Multiple vulnerabilities were found in AsrDrv101.sys and AsrDrv102.sys low level drivers, installed by ASRock RGBLED and other ASRock branded utilities, which could allow a local attacker to elevate privileges.

      GIGABYTE Driver Privilege Escalation

      Multiple vulnerabilities were found in the GPCIDrv and GDrv drivers as bundled with several GIGABYTE and AORUS branded motherboard and graphics card utilities, which could allow a local attacker to elevate privileges. Affected versions include GIGABYTE APP Center 1.05.21 and below, AORUS GRAPHICS ENGINE 1.33 and below, XTREME GAMING ENGINE 1.25 and below, and OC GURU II 2.08.

      MSI NTIOLib.sys, WinIO.sys local privilege escalation

      NTIOLib.sys is installed with a few different MSI utilities that are part of the software package for MSI motherboards and graphic cards. WinIO.sys is completely different driver and is installed with Dragon Gaming Center application, which is part of the software package for MSI notebooks. Since both drivers expose physical memory access to the unprivileged users, I decided to put it into one report (I’ll describe the technical differences later). Actually when I was verifying list of affected software, I’ve found third driver that is doing exactly the same thing, just have a bit different interface and name (RTCore32.sys / RTCore64.sys).

      • https://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities
      • https://eclypsium.com/2019/11/12/mother-of-all-drivers/
      • https://www.activecyber.us/activelabs/viper-rgb-driver-local-privilege-escalation-cve-2019-18845#
      1 Reply Last reply Reply Quote 0
      • First post
        Last post