CVE-2023-43896: Macrium reflect driver out of bounds write

See all Vulnerability notices

Date: 09-10-2023

CVE NUMBER

CVE-2023-43896(2)

CVSS SCORE

9.3 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SUMMARY

Inside the IRP_MJ_READ handler of the psmounterex.sys driver of Macrium Reflect exists an out-of-bounds write vulnerability. Abusing this vulnerability could lead to corruption of the kernel heap and potentially complete loss of integrity of the system.

Impacted Versions

v8.1.7544 and before (bug has been present since at least 2019)

DETAILS

The driver allows us to set the size for an allocation that is later used to read in a file from disk. We control which file is read from disk. If the file size exceeds the size of the allocation, the file’s contents are written beyond the boundary of the allocation.

Setting the allocation size to 0x10, receiving back a pointer to that allocation:

Creating the following file on disk:

Then having the driver read from the file, we can see the A’s extend beyond the 0x10 byte buffer:

TIMELINE

12-09-2023 - Vendor Disclosure
09-10-2023 - Vendor Patch Release
09-10-2023 - Public Release

REFERENCE

Fixed in version v8.1.7675: http://updates.macrium.com/reflect/v8/v8.1.7675/details8.1.7675.htm

CREDIT

Discovered by Alex Oudenaarden

Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.