Awesome Miner Kernel Memory Vulnerability Allowing Arbitrary Read/Write by Unprivileged Users

A vulnerability in Awesome Miner versions through 11.2.4 allows unprivileged users to arbitrarily read and write to kernel memory and Model Specific Registers (MSRs) such as LSTAR. This issue arises from the use of an insecure version of WinRing0 (1.2.0.5), renamed to IntelliBreeze.Maintenance.Service.sys, which lacks a properly secured Discretionary Access Control List (DACL). As a result, unprivileged users can interact with the driver and access kernel-level functionalities, leading to local privilege escalation, information disclosure, denial of service, and other unspecified impacts.

Impact

Exploitation of this vulnerability allows unprivileged users to gain full control over the system by manipulating kernel memory and MSRs, potentially leading to arbitrary code execution in kernel mode. This could bypass operating system security boundaries, tamper with security tools, and create stealthy persistence in the kernel. Depending on the deployment model, it could also allow escaping from a sandbox or container.

Reproduction

The vulnerability can be reproduced by loading the affected driver outside of Awesome Miner, which allows unprivileged users to obtain a handle to the driver. Once the handle is acquired, crafted IOCTLs can be sent to the driver to write specific MSRs, such as LSTAR, which controls system call handling. By writing an invalid address to MSR_LSTAR, the system can be crashed, demonstrating the ability to disrupt normal operations. This proof-of-concept exploitation can be extended to achieve kernel-mode code execution.

Remediation

Users are advised to avoid software that utilizes WinRing0, as it is a highly exploitable driver. Software developers should seek alternative components for interacting with MSRs. Awesome Miner has released a version 11.3.1 that does not include this vulnerability.