Headline

CVE-2019-7630: Vulnerability-Disclosures/FEYE-2019-0003.md at master · mandiant/Vulnerability-Disclosures

An issue was discovered in gdrv.sys in Gigabyte APP Center before 19.0227.1. The vulnerable driver exposes a wrmsr instruction via IOCTL 0xC3502580 and does not properly filter the target Model Specific Register (MSR). Allowing arbitrary MSR writes can lead to Ring-0 code execution and escalation of privileges.

4 years ago

CVE

Open in Source

#vulnerability #perl

FEYE-2019-0003****Description

IOCTL 0xC3502580 in gdrv.sys, which is packaged as part of multiple applications, exposes the wrmsr instruction to user-mode callers without properly validating the target Model Specific Register (MSR). This can result in arbitrary unsigned code being executed in Ring 0.

Impact

High - Arbitrary Ring 0 code execution

Exploitability

Medium/Low - Driver must be loaded or attacker will require admin rights. Newer versions require admin callers.

CVE Reference

CVE-2019-7630

Technical Details

IOCTL 0xC3502580 in the gdrv.sys driver, included as part of the Gigabyte App center, instructs the binary to modify a Model Specific Register (MSR) on the target system. These registers control a wide variety of system functionality and can be used to monitor CPU temperature, track branches in code, tweak voltages, etc. MSRs are also responsible for setting the kernel mode function responsible for handling system calls.

The driver does not appropriately filter access to MSRs, allowing an attacker to overwrite the system call handler and run unsigned code in Ring 0. Allowing access to any of the following MSRs can result in arbitrary Ring 0 code being executed: