Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

 

See all Vulnerability notices

Date: 09-10-2023

CVE NUMBER

CVE-2023-43896(1)

CVSS SCORE

8.2 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

SUMMARY

The psmounterex.sys driver component of Macrium Reflect exposes two IOCTLs. One of these IOCTLs can be used to open a file and read in its contents which contents we control. The other IOCTL can be used to read from this allocation safely. However, by corrupting the driver state it is possible to read beyond the bounds of this allocation resulting in an out-of-bounds read vulnerability.

Impacted Versions

v8.1.7544 and before (bug has been present since at least 2019)

DETAILS

IOCTL 0xC99D28D6 in the psmounterex.sys driver allows the user to read out data from a file, that was loaded by the driver from disk, and output it to usermode. As the size of the allocation and the size for the read are disconnected from eachother and both are controlled by the user, we can create a small buffer and pass a big read size to read out of bounds.

Allocating a 0x3C sized buffer:

cba07beb5c38ca4690fdb7f92817d59e

Setting the max amount of bytes to read value (has to be larger than the allocation):

ad9f7b02ca56c8233209d5c94d894559

Passing the size to read (which gets multiplied by 0x1E to which another 0x1E is added for a total of 600 bytes):

f113d60b10a025b50efd3262222eb5cf

Confirming the memory state of the 0x3C sized allocation before it is read out to user-mode:

2d02cc83e8ed683dbfbdd64198542c11

Output in user-mode:

83aacc93187f62f917c933afdc5f82ec

TIMELINE

12-09-2023  - Vendor Disclosure
09-10-2023  - Vendor Patch Release
09-10-2023  - Public Release

REFERENCE

Fixed in version v8.1.7675: http://updates.macrium.com/reflect/v8/v8.1.7675/details8.1.7675.htm

CREDIT

Discovered by Alex Oudenaarden of Northwave Cyber Security


Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.