ASA-2018-00095 – ASUS: Driver allows non-privileged user arbitrary ring0 write


Allele Security Alert

ASA-2018-00095

Identifier(s)

ASA-2018-00095, CORE-2017-0012, CVE-2018-18537

Title

Driver allows non-privileged user arbitrary ring0 write

Vendor(s)

ASUS

Product(s)

ASUS Aura Sync

Affected version(s)

ASUS Aura Sync v1.07.22 and previous versions

Fixed version(s)

Unknown

Proof of concept

Yes

Description

Multiple vulnerabilities were found in the GLCKIo and Asusgio drivers installed by ASUS Aura Sync, which could allow a local attacker to elevate privileges.

Technical details

There is a path in the processing of IOCTL_GLCKIO_READPORT (0x80102050) on GLCKIo leading to write of arbitrary DWORD to an arbitrary address.

.text:FFFFF800B09F13FE loc_FFFFF800B09F13FE:
.text:FFFFF800B09F13FE mov rax, [rsp+0C8h+var_38] ; CONTROLLED VALUE
.text:FFFFF800B09F1406 mov ecx, [rsp+0C8h+var_56] ; CONTROLLED VALUE
.text:FFFFF800B09F140A mov [rax], ecx ; Arbitrary DWORD sized write!
.text:FFFFF800B09F140C mov rax, [rsp+0C8h+Irp]
.text:FFFFF800B09F1414 mov qword ptr [rax+38h], 4
.text:FFFFF800B09F141C jmp short loc_FFFFF800B09F142D

Credits

Diego Juarez (SecureAuth) and Leandro Cuozzo (SecureAuth)

Reference(s)

ASUS Drivers Elevation of Privilege Vulnerabilities
https://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities

[CORE-2017-0012] – ASUS Drivers Elevation of Privilege Vulnerabilities
https://seclists.org/fulldisclosure/2018/Dec/34

CVE-2018-18537
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18537

CVE-2018-18537
https://nvd.nist.gov/vuln/detail/CVE-2018-18537

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 3, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.