[IOBit][Advanced SystemCare Utimate][AscRegistryFilter][0x8001E000][NPD][DOS]

IOBit Advanced SystemCare Utimate DOS Vulnerability

Basic Info

Vendor: IOBit

Software：

Name: Advanced SystemCare Utimate
Version: 17.0.0
Download Page: https://www.iobit.com/en/advancedsystemcarefree.php

Vulnerable Component:

File: AscRegistryFilter.sys
File Version: 15.0.0.1

Vuln Type: Null Pointer Dereference

Description:

AscRegistryFilter.sys allows all users in Everyone Group to interact with it. When process IOCTL 0x8001E000, it doesn't check the address of the input buffer, an attacker with low privilege can trigger this vulnerability and cause BSOD in the Windows system.

Proof Of Concept

Test OS Version: Windows 10, 19041.vb_release.191206-1406

click poc.exe to trigger this issue
cause a BSOD of Windows system

CONTEXT:  ffff808cd7c44d90 -- (.cxr 0xffff808cd7c44d90)
rax=000000008001e01c rbx=0000000000000000 rcx=000000008001e000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff806743a19e9 rsp=ffff808cd7c45790 rbp=0000000000000000
 r8=0000000000000002  r9=00000000756c7466 r10=fffff806743a16c4
r11=0000000000000000 r12=ffffd702f101ebc0 r13=ffffd702f1b7b700
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050246
AscRegistryFilter+0x19e9:
fffff806`743a19e9 833e01          cmp     dword ptr [rsi],1 ds:002b:00000000`00000000=????????
Resetting default scope

PROCESS_NAME:  poc.exe

STACK_TEXT:
ffff808c`d7c45790 fffff806`59a49cf5 : 00000000`00000002 00000000`00000000 ffffd702`f7061320 00000000`00000000 : AscRegistryFilter+0x19e9
ffff808c`d7c457f0 fffff806`59e592ac : 00000000`00000001 00000000`8001e000 ffffd702`f7061320 00000000`00000000 : nt!IofCallDriver+0x55
ffff808c`d7c45830 fffff806`59e58f03 : ffffd702`00000000 ffff808c`d7c45b80 00000000`00010000 00000000`8001e000 : nt!IopSynchronousServiceTail+0x34c
ffff808c`d7c458d0 fffff806`59e581d6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xd13
ffff808c`d7c45a20 fffff806`59c25235 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0014edb8 : nt!NtDeviceIoControlFile+0x56
ffff808c`d7c45a90 00007ffa`f510d0c4 : 00007ffa`f2b2591b 00000002`0000000c 00007ffa`f50c0101 000073d6`2c39680e : nt!KiSystemServiceCopyEnd+0x25
00000000`0014fdc8 00007ffa`f2b2591b : 00000002`0000000c 00007ffa`f50c0101 000073d6`2c39680e 00007ffa`f2fd5985 : ntdll!NtDeviceIoControlFile+0x14
00000000`0014fdd0 00007ffa`f3295921 : 00000000`8001e000 00000000`00000000 00000000`0014fe60 00007ffa`00000000 : KERNELBASE!DeviceIoControl+0x6b
00000000`0014fe40 00007ff7`ead210fc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!DeviceIoControlImplementation+0x81
00000000`0014fe90 00007ff7`ead21350 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : poc!main+0x8c

attachment

AscRegistryFilter.sys