Wincor Nixdorf wnBios64.sys Stack Buffer Overflow Vulnerability in Kernel Driver
Vulnerability
A stack buffer overflow vulnerability has been identified in the Wincor Nixdorf wnBios64.sys kernel driver, version 1.2.0.0. The vulnerability arises in the IOCTL handler for code 0x80102058, where there is a lack of proper bounds checking on the user-controlled Options parameter. This oversight allows an attacker with local access to send a crafted IOCTL request that exceeds 40 bytes, leading to a stack buffer overflow. Such exploitation could result in unauthorized execution of kernel code, escalation of privileges, or a denial-of-service condition causing the system to crash. Additionally, this IOCTL handler has the potential to leak kernel addresses and other sensitive stack information by reading beyond the buffer's limits.
Impact
Exploitation of this vulnerability can cause a stack-based buffer overflow, allowing for overwriting of local variables and return addresses, with a high potential for executing arbitrary code in the kernel context. The vulnerability also leads to an information disclosure by leaking kernel addresses and sensitive stack data, which could facilitate further exploitation. Furthermore, the vulnerability can be exploited to cause a system crash, disrupting normal operations.
Reproduction
The vulnerability can be reproduced by sending an IOCTL request to the wnBios64.sys driver with an Options parameter greater than 40 bytes. This can be done using a custom application that interacts with the driver via the Windows Device Driver Interface (WDDI). The proof-of-concept exploit available in this repository demonstrates this exploitation by first leaking sensitive stack data and then triggering the buffer overflow to overwrite the return address, ultimately executing arbitrary code in the kernel context.
Remediation
Users are advised to uninstall the Wincor Nixdorf wnBios64 driver if it is not needed. If the driver is required, access to the device objects should be restricted. Monitor for the loading of this driver and block it if possible.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.