Severity: High

Micro-Star International (MSICenter Pro v. <= 2.0.16.0 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the following drivers components:

  • atidgllk.sys - D299A2420F92A1F0150265F26D496AE587A681DA
  • atillk64.sys - C52CEF5B9E1D4A78431B7AF56A6FDB6AA1BCAD65
  • MODAPI.sys/WinRing0x64.sys - D25340AE8E92A6D29F599FEF426A2BC1B5217299
  • NTIOLib.sys - CFD03C6FA17F369E5D7286D1B8A97C49DDAE93A3
  • NTIOLib.sys - FC639CC99362DF79D7AAC31057740C515205A6C4
  • NTIOLib.sys - 4C9691E9B87DC84619E30C6EB21256369EFB8996
  • NTIOLib_X64.sys - 9F31AD3DBA608773EBE62962D654508D7787FF08
  • NTIOLib_X64.sys - DB4C5957DBDA3D3691AA1E393D1F63AD0B049DF5
  • NTIOLib_X64.sys - AD31989CC268ABF8CB36BF44C2087AA761F30F3E
  • WinRing0.sys - 8AC34EB21B9B38F67CD29684C45696C20AB2E75A

All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:

  • Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space.
  • Read/write Model-Specific Registers (MSRs) via the __readmsr/__writemsr functions calls.
  • Read/write 1/2/4 bytes to or from an IO port.

Attackers could exploit these issues to achieve local privilege escalation from low-privileged users to NT AUTHORITY\SYSTEM.