Skip to content

Latest commit

 

History

History
42 lines (30 loc) · 1.77 KB

FEYE-2019-0014.md

File metadata and controls

42 lines (30 loc) · 1.77 KB

FEYE-2019-0014

Description

IOCTL 0x81112ee0 in AODDriver2.sys, included as part of the AMD Overdrive application, exposes the wrmsr instruction to user-mode callers without properly validating the target Model Specific Register (MSR). This can result in arbitrary unsigned code being executed in Ring 0.

Impact

High - Arbitrary Ring 0 code execution

Exploitability

Low - Driver must be loaded or attacker will require admin rights and an exploit is unlikely to be stable due to heap grooming concerns.

CVE Reference

CVE-2019-7247

Technical Details

IOCTL 0x81112ee0 in AODDriver2.sys, included as part of the AMD Overdrive application, exposes the wrmsr instruction to user-mode callers without properly validating the target Model Specific Register (MSR). This can result in arbitrary unsigned code being executed in Ring 0.

The driver does not appropriately filter access to MSRs, allowing an attacker to overwrite the system call handler and run unsigned code in Ring 0. Allowing access to any of the following MSRs can result in arbitrary Ring 0 code being executed:

  • 0xC0000081
  • 0xC0000082
  • 0xC0000083
  • 0x174
  • 0x175
  • 0x176

For exploitation details see the INFILTRATE presentation in the references.

Resolution

Per the vendor, this issue is being disclosed due to the software package being discontinued.

Discovery Credits

Ryan Warns

Disclosure Timelines

  • 4 November 2019 - contacted vendor
  • 4 November 2019 - vendor response, issue being investigated
  • 3 March 2020 - Second attempt to contact vendor
  • 3 March 2020 - Vendor confirmed software no longer in use

References

Exploitation Details