[IOBit][Advanced SystemCare Utimate][AscRegistryFilter][0x8001E018][NPD][DOS]

IOBit Advanced SystemCare Utimate DOS Vulnerability

Basic Info

Vendor: IOBit

Software：

Name: Advanced SystemCare Utimate
Version: 17.0.0
Download Page: https://www.iobit.com/en/advancedsystemcarefree.php

Vulnerable Component:

File: AscRegistryFilter.sys
File Version: 15.0.0.1

Vuln Type: Null Pointer Dereference

Description:

AscRegistryFilter.sys allows all users in Everyone Group to interact with it. When process IOCTL 0x8001E018, it doesn't check the address of the input buffer, an attacker with low privilege can trigger this vulnerability and cause BSOD in the Windows system.

Proof Of Concept

Test OS Version: Windows 10, 19041.vb_release.191206-1406

click poc.exe to trigger this issue
cause a BSOD of Windows system

CONTEXT:  ffff808cd8b24d90 -- (.cxr 0xffff808cd8b24d90)
rax=000000008001e01c rbx=0000000000000000 rcx=000000008001e018
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff806743a1774 rsp=ffff808cd8b25790 rbp=0000000000000000
 r8=0000000000000002  r9=00000000756c7466 r10=fffff806743a16c4
r11=0000000000000000 r12=ffffd702f40a9cd0 r13=ffffd702f1b7b700
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050246
AscRegistryFilter+0x1774:
fffff806`743a1774 833e01          cmp     dword ptr [rsi],1 ds:002b:00000000`00000000=????????
Resetting default scope

PROCESS_NAME:  poc.exe

STACK_TEXT:
ffff808c`d8b25790 fffff806`59a49cf5 : 00000000`00000002 00000000`00000000 ffffd702`f6452a50 00000000`00000000 : AscRegistryFilter+0x1774
ffff808c`d8b257f0 fffff806`59e592ac : 00000000`00000001 00000000`8001e018 ffffd702`f6452a50 00000000`00000000 : nt!IofCallDriver+0x55
ffff808c`d8b25830 fffff806`59e58f03 : ffffd702`00000000 ffff808c`d8b25b80 00000000`00010000 00000000`8001e018 : nt!IopSynchronousServiceTail+0x34c
ffff808c`d8b258d0 fffff806`59e581d6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xd13
ffff808c`d8b25a20 fffff806`59c25235 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0014edb8 : nt!NtDeviceIoControlFile+0x56
ffff808c`d8b25a90 00007ffa`f510d0c4 : 00007ffa`f2b2591b 00000002`0000000c 00007ffa`f50c0101 0000e0ce`49b81c36 : nt!KiSystemServiceCopyEnd+0x25
00000000`0014fdc8 00007ffa`f2b2591b : 00000002`0000000c 00007ffa`f50c0101 0000e0ce`49b81c36 00007ffa`f2fd5985 : ntdll!NtDeviceIoControlFile+0x14
00000000`0014fdd0 00007ffa`f3295921 : 00000000`8001e018 00000000`00000000 00000000`0014fe60 00007ffa`00000000 : KERNELBASE!DeviceIoControl+0x6b
00000000`0014fe40 00007ff7`bdac10fc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!DeviceIoControlImplementation+0x81
00000000`0014fe90 00007ff7`bdac1350 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : poc!main+0x8c

attachment

AscRegistryFilter.sys