Macrium out of bounds read

See all Vulnerability notices

Date: 09-10-2023

CVE NUMBER

CVE-2023-43896(1)

CVSS SCORE

8.2 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

SUMMARY

The psmounterex.sys driver component of Macrium Reflect exposes two IOCTLs. One of these IOCTLs can be used to open a file and read in its contents which contents we control. The other IOCTL can be used to read from this allocation safely. However, by corrupting the driver state it is possible to read beyond the bounds of this allocation resulting in an out-of-bounds read vulnerability.

Impacted Versions

v8.1.7544 and before (bug has been present since at least 2019)

DETAILS

IOCTL 0xC99D28D6 in the psmounterex.sys driver allows the user to read out data from a file, that was loaded by the driver from disk, and output it to usermode. As the size of the allocation and the size for the read are disconnected from eachother and both are controlled by the user, we can create a small buffer and pass a big read size to read out of bounds.

Allocating a 0x3C sized buffer:



Setting the max amount of bytes to read value (has to be larger than the allocation):



Passing the size to read (which gets multiplied by 0x1E to which another 0x1E is added for a total of 600 bytes):



Confirming the memory state of the 0x3C sized allocation before it is read out to user-mode:



Output in user-mode:

TIMELINE

12-09-2023  - Vendor Disclosure
09-10-2023  - Vendor Patch Release
09-10-2023  - Public Release

REFERENCE

Fixed in version v8.1.7675: http://updates.macrium.com/reflect/v8/v8.1.7675/details8.1.7675.htm

CREDIT

Discovered by Alex Oudenaarden of Northwave Cyber Security