High
CVE-2019-7244
CVE-2019-7244
Description
An issue was discovered in kerneld.sys in AIDA64 before 5.99. The vulnerable driver exposes a wrmsr instruction via IOCTL 0x80112084 and does not properly filter the Model Specific Register (MSR). Allowing arbitrary MSR writes can lead to Ring-0 code execution and escalation of privileges.
Add Assessment
Technical Analysis
This vulnerability takes advantage of an exposed IOCTL code (0x80112084) within the kerneld.sys driver that’s included within AIDA64. One of the control registers in the x86 instruction set is known as the MSR, the Model specific register is used for debugging, program execution tracing, computer performance monitoring and managing and toggling certain CPU functionality.. This driver instructs a binary to modify this register on the victim system, and successful exploitation of this vulnerability can allow for ring-0 code execution from an unauthorized and unauthenticated user mode standpoint. Successful exploitation of an exposed write WRMSR instruction can give us a pointer overwrite primitive. Because this driver does not appropriately filter access to MSRs which will allow an attacker to overwrite It and our pointer is called in ring-0.
The commonly used technique for this, is an attacked will use this R/W from the physical MSR register, and use that to traverse SYSTEM processes EPROCESS structure for SYSTEM level tokens, and either spawning a new process or swapping the new SYSTEM token with their current processes.
On January 1st FireEye contacted the vendor with disclosure of the vulnerability. And on November 4th, 2019 FireEye verified that the issue was successfully resolved.
The recommended mitigation is to update your current AIDA64 with the latest provided version of the software.
CVSS V3 Severity and Metrics
General Information
Vendors
- aida64
Products
- aida64
