IOBit Uninstaller DOS Vulnerability

Basic Info

Vendor: IOBit

Software：

• Name: Uninstaller
• Version: 13.6.0.5
• Download Page: https://www.iobit.com/en/advanceduninstaller.php

Vulnerable Component:

• File: IUProcessFilter.sys
• File Version: 1.0.5.18

Vuln Type: Null Pointer Dereference

Description:

IUProcessFilter.sys allows all users in Everyone Group to interact with it. When process IOCTL 0x8001E000, it doesn't check the address of the input buffer, an attacker with low privilege can trigger this vulnerability and cause BSOD in the Windows system.

Proof Of Concept

Test OS Version: Windows 10, 19041.vb_release.191206-1406

1. click poc.exe to trigger this issue
2. cause a BSOD of Windows system

CONTEXT:  ffff808cd8d8bd90 -- (.cxr 0xffff808cd8d8bd90)
rax=ffffd702f40a97b0 rbx=0000000000000000 rcx=ffff808cd8d8c7fb
rdx=00007f7327273808 rsi=0000000000000000 rdi=ffffd702f40a96e0
rip=fffff80674391fa3 rsp=ffff808cd8d8c798 rbp=0000000000000000
 r8=0000000000000004  r9=ffffd702f3e36b80 r10=fffff806743913b8
r11=ffff808cd8d8c7f8 r12=0000000000000000 r13=ffffd702f3e36b80
r14=0000000000000001 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050282
IUProcessFilter+0x1fa3:
fffff806`74391fa3 8a040a          mov     al,byte ptr [rdx+rcx] ds:002b:00000000`00000003=??
Resetting default scope
​
STACK_TEXT:
ffff808c`d8d8c798 fffff806`743914dd : 00000000`00000001 fffff806`59e5a2c1 ffff0690`9aaa3316 00000000`00000000 : IUProcessFilter+0x1fa3
ffff808c`d8d8c7a0 fffff806`59a49cf5 : 00000000`00000002 00000000`00000000 00000000`00000000 00000000`00000000 : IUProcessFilter+0x14dd
ffff808c`d7c227f0 fffff806`59e592ac : 00000000`00000001 00000000`8001e004 ffffd702`f4c1e590 00000000`00000000 : nt!IofCallDriver+0x55
ffff808c`d7c22830 fffff806`59e58f03 : ffffd702`00000000 ffff808c`d7c22b80 00000000`00010000 00000000`8001e004 : nt!NtDeviceIoControlFile+0x112c
ffff808c`d7c228d0 fffff806`59e581d6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0xd83
ffff808c`d7c22a20 fffff806`59c25235 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0014edb8 : nt!NtDeviceIoControlFile+0x56
ffff808c`d7c22a90 00007ffa`f510d0c4 : 00007ffa`f2b2591b 00000002`0000000c 00007ffa`f50c0101 0000857a`c02ddca3 : nt!setjmpex+0x83f5
00000000`0014fdc8 00007ffa`f2b2591b : 00000002`0000000c 00007ffa`f50c0101 0000857a`c02ddca3 00007ffa`f2fd5985 : ntdll!NtDeviceIoControlFile+0x14
00000000`0014fdd0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!DeviceIoControl+0x6b

attachment

IUProcessFilter.sys