Tag - driver

PrivEsc on a production-mode POS

Earlier this year, we were involved in the security assessment of a mobile application that included the use and verification of a POS, a Pax D200. An Internet search aimed at identifying any known vulnerabilities about it, led us to this post called pax-pwn and written by lsd.cat where three CVEs were reported and...

Merry Hackmas: multiple vulnerabilities in MSI’s products

This blog post serves as an advisory for a couple MSI’s products that are affected by multiple high-severity vulnerabilities in the driver components they are shipped with. All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to: Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a...

Driver Buddy Reloaded

As part of Yarix's continuous security research journey, during this year I’ve spent a good amount of time reverse-engineering Windows drivers and exploiting kernel-mode related vulnerabilities. While in the past there were (as far as I know), at least two good IDA plugins aiding in the reverse engineering process: DriverBuddy of NCC Group. ...

Crucial’s MOD Utility LPE – CVE-2021-41285

Crucial Ballistix MOD Utility is a software product that can be used to customize and control gaming systems, specifically LED colours and patterns, memory, temperature, and overclock.During my vulnerability research, I’ve discovered that this software utilizes a driver, MODAPI.sys, containing multiple vulnerabilities and allowing an attacker to achieve local privilege escalation from...