9.3 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Inside the IRP_MJ_READ handler of the psmounterex.sys driver of Macrium Reflect exists an out-of-bounds write vulnerability. Abusing this vulnerability could lead to corruption of the kernel heap and potentially complete loss of integrity of the system.
v8.1.7544 and before (bug has been present since at least 2019)
The driver allows us to set the size for an allocation that is later used to read in a file from disk. We control which file is read from disk. If the file size exceeds the size of the allocation, the file's contents are written beyond the boundary of the allocation.
Setting the allocation size to 0x10, receiving back a pointer to that allocation:
Creating the following file on disk:
Then having the driver read from the file, we can see the A's extend beyond the 0x10 byte buffer:
12-09-2023 - Vendor Disclosure
09-10-2023 - Vendor Patch Release
09-10-2023 - Public Release
Fixed in version v8.1.7675: http://updates.macrium.com/reflect/v8/v8.1.7675/details8.1.7675.htm
Discovered by Alex Oudenaarden of Northwave Cyber Security
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.