IOCTL 0x81112ee0 in AODDriver2.sys, included as part of the AMD Overdrive application, exposes the wrmsr instruction to user-mode callers without properly validating the target Model Specific Register (MSR). This can result in arbitrary unsigned code being executed in Ring 0.
High - Arbitrary Ring 0 code execution
Low - Driver must be loaded or attacker will require admin rights and an exploit is unlikely to be stable due to heap grooming concerns.
CVE-2019-7247
IOCTL 0x81112ee0 in AODDriver2.sys, included as part of the AMD Overdrive application, exposes the wrmsr instruction to user-mode callers without properly validating the target Model Specific Register (MSR). This can result in arbitrary unsigned code being executed in Ring 0.
The driver does not appropriately filter access to MSRs, allowing an attacker to overwrite the system call handler and run unsigned code in Ring 0. Allowing access to any of the following MSRs can result in arbitrary Ring 0 code being executed:
- 0xC0000081
- 0xC0000082
- 0xC0000083
- 0x174
- 0x175
- 0x176
For exploitation details see the INFILTRATE presentation in the references.
Per the vendor, this issue is being disclosed due to the software package being discontinued.
Ryan Warns
- 4 November 2019 - contacted vendor
- 4 November 2019 - vendor response, issue being investigated
- 3 March 2020 - Second attempt to contact vendor
- 3 March 2020 - Vendor confirmed software no longer in use