[MSI][Dragon Center][NTIOLib_X64][0xC3506104][MmMapIoSpace][DOS]

MSI Dragon Center DOS Vulnerability

Basic Info

Vendor: MSI

Software：

Name: MSI Dragon Center
Version: 2.0.146.0
Download Page: https://www.msi.com/Landing/dragon-center-download/nb
Download Link: https://download.msi.com/uti_exe/common/Dragon-Center.zip
SHA1 of Dragon Center_2.0.146.0.exe: 56b7e785ee4f20aa2be4cbbe16988ee434ca8a19

Vulnerable Componenent:

File: NTIOLib_X64.sys
File Version: 3.0.0.10
SHA1 of NTIOLib_X64.sys: b8b13ebb2caea63e48d9c9e515bed16ee73262f1

Vuln Type: Null Pointer Dereference

Description:

NTIOLib_X64.sys allows all users in Everyone Group to interact with it. When process IOCTL 0xC3506140, it doen't check the return value of MmMapIoSpace, then calls MmUnMapIoSpace directly with the return value of MmMapIoSpace. If MmMapIoSpace returns with NULL, call MmUnMapIoSpace with parameter address zero (NULL) will cause a BSOD in Windows System.

Analyse

In Line 48, it call MmMapIoSpace, when it failed to MmMapIoSpace, the value of v12 will be NULL

It call MmUnmapIoSpace at line 79, if v12 is null, it will cause a BSOD.