Submit #835614: UltraISO Premium Edition Kernel Driver bootpt64.sys 9.76 Local Privilege Escapation
| Title | UltraISO Premium Edition Kernel Driver bootpt64.sys 9.76 Local Privilege Escapation |
|---|---|
| Description | UltraISO Premium Edition 9.76 ships the signed kernel driver bootpt64.sys. The driver exposes \\.\BootPart to standard users and allows a caller to mount a selected physical disk range through IOCTL 0x7F300. After the mount succeeds, normal ReadFile and WriteFile operations on the BootPart device are serviced by a raw disk handle opened inside the driver. In the validation below, a standard user at Medium Integrity could not read or write a protected flag file on a temporary VHD and could not open the VHD as \\.\PhysicalDrive1. The same standard user opened \\.\BootPart, mounted disk 1, and read the protected file's NTFS data clusters by raw disk offset. In a separate non-destructive write proof, the same user wrote a marker to an unused sector of a temporary unformatted VHD attached as disk 2; an administrator raw readback from the VHD confirmed the marker. An unprivileged user can exploit arbitrary read/write primitives over protected file resources to achieve local privilege escalation. |
| Source | ⚠️ https:/ |
| User | winslow1984 (UID 79140) |
| Submission | 05/22/2026 07:40 (29 days ago) |
| Moderation | 06/20/2026 11:54 (29 days later) |
| Status | Accepted |
| VulDB entry | 372528 [Ezbsystems UltraISO Premium Edition up to 9.76 Kernel Driver bootpt64.sys access control] |
| Points | 20 |