A few weeks ago, I reported a Local Privilege Escalation (LPE)affecting version <1.0.7 of EVGA’s Precision X1 performance software. This vulnerability was patched in version 1.0.7.
While looking at the services created by the application, I noticed that a driver service, “WinRing0_1_2_0,” was started on the system and correlated to the driver file C:\Program Files\EVGA\WinRing0\WinRing0x64.sys. This driver is a third party component developed by OpenLibSys and is included in the OpenHardwareMonitor library. This driver is signed by EVGA to allow loading on modern Windows systems.
This driver creates a device object on the system which all users can access due to a NULL DACL, as shown in WinObj below. This means that any user of the system, can issue requests (IOCTLs) to this driver.
WinRing0 allows users to read and write to arbitrary physical memory, read and modify the model specific registers (MSRs), and read/write to IO ports on the host. These features are intended by the driver’s developers. However, because a low-privileged user can make these requests, they present an opportunity for local privilege escalation. For example, if a local user uses the IOCTLs related to reading and writing to arbitrary memory locations, they can gain NT AUTHORITY\SYSTEM privileges via mapping \Device\PhysicalMemory into the calling process.
The core issue is not necessarily that the driver provides these types of functions, but that an ACL is not applied to the device object, allowing unrestricted access to these features.
Note: Vulnerabilities related to the use of this unmodified driver have been previously reported to vendors such as HP. It is accounted for in Eclypsium’s Screwed Drivers project as a wormhole driver. Riot Games’s Vanguard anti-cheat driver also blocked WinRing0 until recently.
In order to reduce the impact of this vulnerability, it was recommended to replace the call to IoCreateDevice() in WinRing0 with IoCreateDeviceSecure(). Setting the DefaultSDDLString parameter of this function to “SDDL_DEVOBJ_SYS_ALL_ADM_ALL” would restrict access to the device object to only NT AUTHORITY\SYSTEM and members of the Local Administrators group.
EVGA opted instead to write new drivers, driver-x64.sys and driver-x86.sys, from the ground up that has been implemented in Precision X1. This driver restricts access to its device object via its security descriptor.
I wanted to put out a quick thank you to the security team, and everyone involved with the patch for this vulnerability at EVGA. They were kind, prompt in their responses, and very easy to work with.
CVE-2020–14979: Local Privilege Escalation in EVGA PrecisionX1 was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.