CPUID CPU-Z Driver Kernel-Mode Arbitrary Code Execution Vulnerability

A vulnerability allowing kernel-mode arbitrary code execution has been identified in the CPUID CPU-Z driver version 1.0.5.4. This issue arises from unvalidated parameters in the DeviceIoControl function, specifically with the IOControlCodes 0x9C402440 and 0x9C402444. Exploitation of this vulnerability involves manipulating the MSR_LSTAR model-specific register to hook into the KiSystemCall64 function, followed by a Return-Oriented Programming (ROP) attack that disables the Supervisor Mode Access Prevention (SMAP) feature and executes a user-mode syscall handler within the kernel context. While this vulnerability has not been confirmed on 32-bit Windows, it is functional on 64-bit Windows systems where core isolation is either disabled or not present.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in kernel mode, which can lead to significant system compromise.

Reproduction

The vulnerability can be reproduced by sending a DeviceIoControl request to the CPUID CPU-Z driver with the unvalidated IOControlCodes 0x9C402440 and 0x9C402444. The first code is used to read the KiSystemCall64 address via the RDMSR instruction, while the second code writes a payload to the MSR_LSTAR register, overwriting the KiSystemCall64 address with a gadget that can be used to manipulate the system call handling process. After hooking the system call, a ROP chain is executed to disable SMAP and run a user-mode syscall handler in the kernel context.