SevenCs ORCA G2 NULL DACL Vulnerability in regService Process Allows Unauthorized Disk Operations

A vulnerability exists in SevenCs ORCA G2 version 2.0.1.35, specifically within the EC2007 Kernel v5.22. The issue arises from the regService process, which operates with SYSTEM privileges, applying a Security Descriptor to a device object without an explicitly configured Discretionary Access Control List (DACL). This NULL DACL state could enable an attacker to conduct unauthorized raw disk operations, potentially leading to system disruption, exposure of sensitive data, and local privilege escalation.

Impact

Exploitation of this vulnerability could cause system disruption by allowing unauthorized raw disk writes that could corrupt critical on-disk structures. Additionally, it could lead to the disclosure of sensitive information by bypassing file-level protections through unauthorized raw disk reads. Furthermore, depending on the environment and attacker capabilities, this vulnerability could facilitate local privilege escalation by providing access to offline credential material, which could be used to compromise administrative accounts.

Reproduction

The vulnerability can be reproduced by triggering the regService process to apply a NULL DACL to the volume device object, such as '\\.\C:'. This can be done by sending a request to regService via named pipes, which is typically handled by ORCA components like regTest.exe'. After the DACL has been set to NULL, a non-administrative local user can open a raw disk handle to the device and perform unauthorized operations.

Remediation

To address this vulnerability, it is advised not to apply permissive ACLs to core device objects like '\\.\C:' unless absolutely necessary. If modifications are required, a least-privilege DACL should be applied, ensuring that the final descriptor does not result in a NULL DACL state or grant broad access. After making changes, the security descriptor should be validated programmatically and regression tests should be added.