| タイトル | UltraISO Premium Edition Kernel Driver bootpt64.sys 9.76 Local Privilege Escapation |
|---|
| 説明 | UltraISO Premium Edition 9.76 ships the signed kernel driver bootpt64.sys. The driver exposes \\.\BootPart to standard users and allows a caller to mount a selected physical disk range through IOCTL 0x7F300. After the mount succeeds, normal ReadFile and WriteFile operations on the BootPart device are serviced by a raw disk handle opened inside the driver.
In the validation below, a standard user at Medium Integrity could not read or write a protected flag file on a temporary VHD and could not open the VHD as \\.\PhysicalDrive1. The same standard user opened \\.\BootPart, mounted disk 1, and read the protected file's NTFS data clusters by raw disk offset. In a separate non-destructive write proof, the same user wrote a marker to an unused sector of a temporary unformatted VHD attached as disk 2; an administrator raw readback from the VHD confirmed the marker.
An unprivileged user can exploit arbitrary read/write primitives over protected file resources to achieve local privilege escalation. |
|---|
| ソース | ⚠️ https://winslow1984.com/books/cve-collection/page/ultraiso-premium-976-kernel-driver-bootpt64sys-local-privilege-escalation |
|---|
| ユーザー | winslow1984 (UID 79140) |
|---|
| 送信 | 2026年05月22日 07:40 (1 月 ago) |
|---|
| モデレーション | 2026年06月20日 11:54 (29 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 372528 [Ezbsystems UltraISO Premium Edition 迄 9.76 Kernel Driver bootpt64.sys 特権昇格] |
|---|
| ポイント | 20 |
|---|