According to foreign media BleepingComputer, there are multiple vulnerabilities in the four drivers from Asus and GIGABYTE, and attackers can exploit these vulnerabilities to increase permissions and execute arbitrary code.
reported that a total of 7 vulnerabilities that affected 5 software products were discovered. In addition, researchers who discovered these vulnerabilities have written exploit code for each software product, and several of them have not been fixed so far.
Two of the vulnerable drivers were installed by Asus' Aura Sync software (v1.07.22 and earlier) and they carry vulnerabilities that can be used to execute arbitrary code.
The vulnerable driver from Gigabyte is bundled with motherboards and graphics cards of the same brand, as well as motherboards and graphics cards produced by Gigabyte subsidiary AORUS. Vulnerabilities present in these drivers can lead to permission elevation, and affected software products include: GIGABYTE App Center (v1.05.21 and earlier), AORUS Graphics Engine (v1.33 and earlier), XTREME Engine utility (v1.25 and earlier), and OC Guru II (v2.08).
found three vulnerabilities in Asus GLCKIo and Asusgio drivers
Aura Sync is a utility that allows all RGB light bars to work synchronously with products such as motherboard, graphics card and peripherals (keyboard, mouse), etc., so that users can get a personalized gaming experience.
When Aura Sync is installed to the system, GLCKIo and Asusgio drivers are also installed. Both drivers have security vulnerabilities CVE-2018-18537, CVE-2018-18536 and CVE-2018-18535, which allow attackers to execute arbitrary code.
reported that the vulnerabilities were discovered by Diego Juarez of SecureAuth. He said in a report released Tuesday that the company has responsibly disclosed the vulnerabilities to Asus. But judging from the two new Aura Sync versions released by Asus, two of the vulnerabilities have not been fixed.
The first vulnerability, CVE-2018-18537, exists in the GLCKIo driver, which can be exploited by writing any "double word (DWORD)" to any address . To prove the effectiveness of the vulnerability, the researchers created a proof-of-concept (PoC) code that eventually triggered a system crash.
The second vulnerability, CVE-2018-18536, exists in both GLCKIo and Asusgion drivers, exposes a way to read/write data from the IO port. "This can be exploited in many ways, and ultimately it can run the code with increased permissions."
Juarez also used PoC code to show the possible impact of this vulnerability. For example, the computer restart was caused during testing. However, Juarez said the vulnerability has a much more impact than that, and it is actually more dangerous.
The third vulnerability, CVE-2018-18535, was discovered in the Asusgio driver, which also exposes a read/write method, but not from the IO port, but from the Model-specific register (MSR). An attacker can use it to run code with the highest privileges (ring-0, reserved for the operating system kernel).
MSR is a concept in x86 architecture . It refers to a series of registers in the x86 architecture processor for controlling CPU operation, function switches, debugging, tracking program execution, monitoring CPU performance, etc. These registers can be accessed through privileged instructions "rdmsr" and "wrmsr", but these instructions can only be executed by code with ring-0 level permissions.
PoC from Juarez confirmed that the CVE-2018-18535 vulnerability present in the Asusgio driver allows an attacker to access the MSR register by leaking the kernel function pointer that bypasses the kernel address space layout randomization (KASLR), resulting in BSOD (Blue Screen of Death).
communication with Asus did not achieve good results
According to the disclosure schedule released by SecureAuth, communication with Asus started in November 2017. Asus confirmed the vulnerability on February 2, 2018 and said 19 days later that it would update the Aura Sync utility in April.
htmlOn March 26, Asus informed the SecureAuth vulnerability that had been resolved. SecureAuth said this was also Asus's last reply.When the company noticed that the new Aura Sync released in April still contained these vulnerabilities, the company immediately asked Asus to explain. A subsequent version of the software was released in May, but after SecureAuth confirmed that Asus fixed only one of three vulnerabilities.
discovered four vulnerabilities in Gigabyte GPCIDrv and GDrv drivers
Juarez also analyzed Gigabyte GPCIDrv and GDrv drivers and found that they can receive system calls from non-privileged user processes, even those running at low integrity levels.
The first vulnerability he discovered, now tracked as CVE-2018-19320, provides attackers with the possibility of full control of the system.
To prove this, Juarez also created a piece of PoC code for the GDrv driver. It turns out that non-privileged users can also read/write arbitrary virtual memory. Because it is for demonstration purposes, this PoC code will also only trigger a system crash, and the damage this vulnerability can cause is much more than that.
The second vulnerability is CVE-2018-19322, which exposes a method of reading/writing data from the input/output port using non-privileged access. Gigabyte's GPCIDrv and GDrv drivers were both found to have this vulnerability, allowing attackers to obtain higher permissions. Similarly, the PoC code written by Juarez only causes the computer to restart, but only modifying it can lead to more serious consequences. The
GDrv driver also exposed a way to access MSR registers using non-privileged instructions, allowing attackers to execute arbitrary code using ring-0 level permissions. The vulnerability is identified as CVE-2018-19323, allowing an attacker to access the MSR register by leaking kernel function pointers that bypass kernel address space layout randomization (KASLR). PoC code can lead to BSOD (Blue Screen of Death).
According to SecureAuth's research, there is a vulnerability in both GPCIDrv and GDrv drivers CVE-2018-19321. This is a memory corruption vulnerability that allows attackers to take full control of the affected system. The PoC provided to BleepingComputer by
is harmless because it will only trigger a computer crash, but as mentioned earlier, just a certain amount of modification to the code can lead to more serious consequences.
According to the disclosure schedule released by SecureAuth, the company disclosed the vulnerabilities to Gigabyte on April 24, 2018 and received a reply six days later. But no results were achieved after several email exchanges, as Gigabyte responded that its products were not affected by the vulnerability disclosed by SecureAuth. Communication between
and Gigabyte was also in vain.
SecureAuth released the disclosure schedule. It shows that despite receiving technical instructions and exploit code for demonstration, Gigabyte did not fix the above vulnerability.
"In May 2018, the Gigabyte technical support team replied that Gigabyte is a hardware company, not a professional software company. They asked us to provide specific technical details and tutorials so that we can verify the vulnerabilities," SecureAuth revealed.
SecureAuth also stated that "Gigabyte completely negated these vulnerabilities in its last reply, because Gigabyte replied that its project manager and engineer believed that its products were not affected by the vulnerabilities we disclosed."
This article was compiled by Hacker Vision Comprehensive Network, and the pictures are from the Internet; please indicate "Reprinted from Hacker Vision" and attach a link to the reprint.
When the company noticed that the new Aura Sync released in April still contained these vulnerabilities, the company immediately asked Asus to explain. A subsequent version of the software was released in May, but after SecureAuth confirmed that Asus fixed only one of three vulnerabilities.
discovered four vulnerabilities in Gigabyte GPCIDrv and GDrv drivers
Juarez also analyzed Gigabyte GPCIDrv and GDrv drivers and found that they can receive system calls from non-privileged user processes, even those running at low integrity levels.
The first vulnerability he discovered, now tracked as CVE-2018-19320, provides attackers with the possibility of full control of the system.
To prove this, Juarez also created a piece of PoC code for the GDrv driver. It turns out that non-privileged users can also read/write arbitrary virtual memory. Because it is for demonstration purposes, this PoC code will also only trigger a system crash, and the damage this vulnerability can cause is much more than that.
The second vulnerability is CVE-2018-19322, which exposes a method of reading/writing data from the input/output port using non-privileged access. Gigabyte's GPCIDrv and GDrv drivers were both found to have this vulnerability, allowing attackers to obtain higher permissions. Similarly, the PoC code written by Juarez only causes the computer to restart, but only modifying it can lead to more serious consequences. The
GDrv driver also exposed a way to access MSR registers using non-privileged instructions, allowing attackers to execute arbitrary code using ring-0 level permissions. The vulnerability is identified as CVE-2018-19323, allowing an attacker to access the MSR register by leaking kernel function pointers that bypass kernel address space layout randomization (KASLR). PoC code can lead to BSOD (Blue Screen of Death).
According to SecureAuth's research, there is a vulnerability in both GPCIDrv and GDrv drivers CVE-2018-19321. This is a memory corruption vulnerability that allows attackers to take full control of the affected system. The PoC provided to BleepingComputer by
is harmless because it will only trigger a computer crash, but as mentioned earlier, just a certain amount of modification to the code can lead to more serious consequences.
According to the disclosure schedule released by SecureAuth, the company disclosed the vulnerabilities to Gigabyte on April 24, 2018 and received a reply six days later. But no results were achieved after several email exchanges, as Gigabyte responded that its products were not affected by the vulnerability disclosed by SecureAuth. Communication between
and Gigabyte was also in vain.
SecureAuth released the disclosure schedule. It shows that despite receiving technical instructions and exploit code for demonstration, Gigabyte did not fix the above vulnerability.
"In May 2018, the Gigabyte technical support team replied that Gigabyte is a hardware company, not a professional software company. They asked us to provide specific technical details and tutorials so that we can verify the vulnerabilities," SecureAuth revealed.
SecureAuth also stated that "Gigabyte completely negated these vulnerabilities in its last reply, because Gigabyte replied that its project manager and engineer believed that its products were not affected by the vulnerabilities we disclosed."
This article was compiled by Hacker Vision Comprehensive Network, and the pictures are from the Internet; please indicate "Reprinted from Hacker Vision" and attach a link to the reprint.
