| 제목 | UltraISO Premium Edition Kernel Driver bootpt64.sys 9.76 Local Privilege Escapation |
|---|
| 설명 | UltraISO Premium Edition 9.76 ships the signed kernel driver bootpt64.sys. The driver exposes \\.\BootPart to standard users and allows a caller to mount a selected physical disk range through IOCTL 0x7F300. After the mount succeeds, normal ReadFile and WriteFile operations on the BootPart device are serviced by a raw disk handle opened inside the driver.
In the validation below, a standard user at Medium Integrity could not read or write a protected flag file on a temporary VHD and could not open the VHD as \\.\PhysicalDrive1. The same standard user opened \\.\BootPart, mounted disk 1, and read the protected file's NTFS data clusters by raw disk offset. In a separate non-destructive write proof, the same user wrote a marker to an unused sector of a temporary unformatted VHD attached as disk 2; an administrator raw readback from the VHD confirmed the marker.
An unprivileged user can exploit arbitrary read/write primitives over protected file resources to achieve local privilege escalation. |
|---|
| 원천 | ⚠️ https://winslow1984.com/books/cve-collection/page/ultraiso-premium-976-kernel-driver-bootpt64sys-local-privilege-escalation |
|---|
| 사용자 | winslow1984 (UID 79140) |
|---|
| 제출 | 2026. 05. 22. AM 07:40 (1 월 ago) |
|---|
| 모더레이션 | 2026. 06. 20. AM 11:54 (29 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 372528 [Ezbsystems UltraISO Premium Edition 까지 9.76 Kernel Driver bootpt64.sys 권한 상승] |
|---|
| 포인트들 | 20 |
|---|