TechPowerUp GPU-Z Kernel Memory Leak Vulnerability in IOCTL Handler

A kernel memory leak vulnerability has been identified in TechPowerUp GPU-Z versions prior to 2.23.0. The issue resides in the GPU-Z.sys driver, specifically within the 0x8000645C IOCTL handler. This vulnerability allows low-privileged users to leak kernel memory by sending crafted IOCTL requests, potentially exposing sensitive kernel-space data. The vulnerability can be exploited locally.

Impact

Exploitation of this vulnerability leads to a kernel memory leak, allowing attackers to access leaked memory contents that may include sensitive data such as pointers, credentials, or other system information. Additionally, the vulnerability bypasses Kernel Address Space Layout Randomization (KASLR), which could aid in further exploitation, such as privilege escalation. The uncontrolled memory access could also disrupt system stability, potentially causing crashes.

Reproduction

The vulnerability can be reproduced by opening a handle to the GPU-Z device using the 0x8000645C IOCTL. This can be done with a user-mode application that sends crafted IOCTL requests to the GPU-Z.sys driver. After the IOCTL is processed, the response can be used to read leaked kernel memory, although the current proof of concept only demonstrates the memory mapping aspect.

Remediation

Users are advised to update to TechPowerUp GPU-Z version 2.23.0 or later. For developers, it is recommended to implement strict validation and sanitization of IOCTL control codes in the GPU-Z.sys driver, validate and restrict physical memory mappings to non-sensitive regions, and require elevated privileges for critical IOCTL operations.