Hangzhou Shunwang Rentdrv2 EDR Bypass Vulnerability via DeviceIoControl

A vulnerability in the Hangzhou Shunwang Rentdrv2 driver, prior to December 24, 2024, allows local users to terminate Endpoint Detection and Response (EDR) processes and potentially cause unspecified additional impacts. This is achieved by using the DeviceIoControl function with the control code 0x22E010. The vulnerability has been exploited in the wild, particularly targeting various antivirus and EDR solutions, including Windows Defender, Kaspersky, and others.

Impact

Exploitation of this vulnerability can lead to the termination of EDR processes, allowing malicious activities to go undetected. This could include the execution of harmful payloads or the removal of security measures that protect against such actions.

Reproduction

The vulnerability can be reproduced by compiling a tool that targets the legacy x32 architecture, which is capable of interacting with the Rentdrv2 driver. Once compiled, the tool can be executed in an elevated command prompt, specifying the PID of the EDR process to be terminated. The proof of concept code, available in the BadRentdrv2 GitHub repository, demonstrates this process by including functionality to terminate processes by name or by using a parent process name.

Remediation

Users are advised to update to the version of Rentdrv2 released on December 24, 2024, or later.