Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2020-15479

Description

The IOCTL request handler in the DirectIo32.sys and DirectIo64.sys kernel drivers distributed with the BurnInTest, PerformanceTest and OSForensics applications by PassMark Software attempts to copy the input buffer onto the stack without checking its size and can cause a buffer overflow. This could lead to arbitrary Ring-0 code execution and escalation of privileges.

Impact

High - Arbitrary Ring-0 code execution

Exploitability

Medium/Low - Driver must be loaded prior to the exploitation in order to be utilized by low-privilege users, otherwise the attacker will require admin rights for the driver installation.

Technical Details

When the driver receives an IOCTL request from a usermode program, it will first copy the request input buffer into a local buffer on the stack. The size of the memcpy is only based on the size of the input buffer and does not take into account the capacity of the stack buffer. This may lead to a buffer overflow, if a large enough IOCTL buffer is provided. This happens in multiple places of the IOCTL handler function and several IOCTLs can be used for this purpose.

Resolution

The fix is distributed as a part of the August 2020 updates of the vendor's products.

Reporter

This vulnerability was discovered and reported by Michal Poslušný.

Disclosure Timeline

  • 23 June 2020 - Issue reported to vendor
  • 23 June 2020 - Vendor responded and confirmed the issues
  • 15 July 2020 - Vendor shared a test version of the driver with the issues addressed
  • 24 July 2020 - Vendor released a final version of the driver
  • 6 August 2020 - Integration of the fixed version of the driver into the vendor's products started

References