8.2 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
The psmounterex.sys driver component of Macrium Reflect exposes two IOCTLs. One of these IOCTLs can be used to open a file and read in its contents which contents we control. The other IOCTL can be used to read from this allocation safely. However, by corrupting the driver state it is possible to read beyond the bounds of this allocation resulting in an out-of-bounds read vulnerability.
v8.1.7544 and before (bug has been present since at least 2019)
IOCTL 0xC99D28D6 in the psmounterex.sys driver allows the user to read out data from a file, that was loaded by the driver from disk, and output it to usermode. As the size of the allocation and the size for the read are disconnected from eachother and both are controlled by the user, we can create a small buffer and pass a big read size to read out of bounds.
Allocating a 0x3C sized buffer:
Setting the max amount of bytes to read value (has to be larger than the allocation):
Passing the size to read (which gets multiplied by 0x1E to which another 0x1E is added for a total of 600 bytes):
Confirming the memory state of the 0x3C sized allocation before it is read out to user-mode:
Output in user-mode:
12-09-2023 - Vendor Disclosure
09-10-2023 - Vendor Patch Release
09-10-2023 - Public Release
Fixed in version v8.1.7675: http://updates.macrium.com/reflect/v8/v8.1.7675/details8.1.7675.htm
Discovered by Alex Oudenaarden of Northwave Cyber Security
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.