Allele Security Alert
ASA-2018-00095
Identifier(s)
ASA-2018-00095, CORE-2017-0012, CVE-2018-18537
Title
Driver allows non-privileged user arbitrary ring0 write
Vendor(s)
ASUS
Product(s)
ASUS Aura Sync
Affected version(s)
ASUS Aura Sync v1.07.22 and previous versions
Fixed version(s)
Unknown
Proof of concept
Yes
Description
Multiple vulnerabilities were found in the GLCKIo and Asusgio drivers installed by ASUS Aura Sync, which could allow a local attacker to elevate privileges.
Technical details
There is a path in the processing of IOCTL_GLCKIO_READPORT (0x80102050) on GLCKIo leading to write of arbitrary DWORD to an arbitrary address.
.text:FFFFF800B09F13FE loc_FFFFF800B09F13FE: .text:FFFFF800B09F13FE mov rax, [rsp+0C8h+var_38] ; CONTROLLED VALUE .text:FFFFF800B09F1406 mov ecx, [rsp+0C8h+var_56] ; CONTROLLED VALUE .text:FFFFF800B09F140A mov [rax], ecx ; Arbitrary DWORD sized write! .text:FFFFF800B09F140C mov rax, [rsp+0C8h+Irp] .text:FFFFF800B09F1414 mov qword ptr [rax+38h], 4 .text:FFFFF800B09F141C jmp short loc_FFFFF800B09F142D
Credits
Diego Juarez (SecureAuth) and Leandro Cuozzo (SecureAuth)
Reference(s)
ASUS Drivers Elevation of Privilege Vulnerabilities
https://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities
[CORE-2017-0012] – ASUS Drivers Elevation of Privilege Vulnerabilities
https://seclists.org/fulldisclosure/2018/Dec/34
CVE-2018-18537
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18537
CVE-2018-18537
https://nvd.nist.gov/vuln/detail/CVE-2018-18537
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 3, 2019