OpenEDR Privilege Escalation Vulnerability via IOCTL Interface
Vulnerability
A local, non-privileged attacker can exploit a vulnerable IOCTL interface in the OpenEDR kernel driver version 2.5.1.0 to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load a malicious DLL into high-privilege processes, leading to arbitrary code execution with SYSTEM privileges and full system compromise.
Impact
Exploitation of this vulnerability allows for local privilege escalation, with injected DLLs executed in the context of high-privilege processes, such as Windows Defender.
Reproduction
The vulnerability can be reproduced by sending a crafted IOCTL request to the OpenEDR kernel driver. This request should include a modified DLL path that points to a location writable by non-privileged users. Once the path is set, the OpenEDR driver will inject the DLL into a privileged process, such as one related to system services or trusted applications.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.