DriverGenius, mydrivers64.sys, Read/Write Arbitrary Physical Memory
Vulnerability Info
Version
- DriverGenius 9.70.0.346, mydrivers64.sys 9.2.707.1214
- http://www.drivergenius.com/
Impact
Read/Write Arbitrary Physical Memory
Description
From IoControlCode 0x9C406104 and 0x9C40A108, a normal user can read and write physical memory arbitrarily, which can lead to escalation of privilege or kernel execution.
Reproduce
In the attached file ReadWriteArbitraryPhysicalMemory.zip, there are ReadWriteArbitraryPhysicalMemory.exe, ReadWriteArbitraryPhysicalMemory.cpp, DGSetup_Home_BZNR.exe, and mydrivers64.sys. ReadWriteArbitraryPhysicalMemory.exe is the PoC to read and write physical memory where DGSetup_Home_BZNR.exe which contains the vulnerable driver mydrivers64.sys is installed, and ReadWriteArbitraryPhysicalMemory.cpp is the source code of ReadWriteArbitraryPhysicalMemory.exe. To reproduce the issue, install DGSetup_Home_BZNR.exe and execute ReadWriteArbitraryPhysicalMemory.exe. It is expected that the physical memory at address 0 will be read and written to 0xdeadbeef, then read again to show the new value. Password for attachment: ReadWriteArbitraryPhysicalMemory https://drive.google.com/file/d/1Iz4VTUUVDveZlgtxN9WkvdygHkD1BUCr/view?usp=sharing