CVE-2024-33218 - Understanding and Exploiting the ASUSTeK ASUS USB 3. Boost Storage Driver Privilege Escalation Vulnerability

CVE-2024-33218 is a vulnerability discovered in the ASUSTeK Computer Inc ASUS USB 3. Boost Storage Driver (version 5.30.20.) that allows an attacker to escalate privileges and execute arbitrary code. Specifically, the vulnerability lies within the component AsUpIO64.sys and is triggered by sending crafted IOCTL (Input/Output Control) requests.

In this long read post, we will explore the vulnerability, explain how to reproduce it, discuss potential exploit details and impacts, and provide mitigation measures. To follow along, you will need some level of familiarity with programming and Windows IOCTL commands.

Understanding the Vulnerability

To grasp the root cause of the CVE-2024-33218 vulnerability, it is important to understand basic concepts like IOCTLs and the kernel-mode I/O. IOCTLs are powerful system calls that provide a way to communicate with kernel-mode drivers from user-mode applications. They are a combination of Control Codes and parameters that request actions to be performed or manipulate settings on a device, such as our case, the ASUS USB 3. Boost Storage Driver.

The vulnerability emerges when an attacker crafts malicious IOCTL requests. When these requests interact with the AsUpIO64.sys component of the ASUS USB 3. Boost Storage Driver, the attacker gains the ability to execute arbitrary code with escalated privileges, potentially compromising the entire system.

Reproducing the Vulnerability

In order to replicate this vulnerability, we first need to locate the AsUpIO64.sys component on a system with the susceptible driver version (5.30.20.) installed. The component should be found in the "\System32\drivers" directory. With the assistance of a debugger, we can dynamically analyze the AsUpIO64.sys driver and find a suitable IOCTL value that can trigger the vulnerability.

For demonstration purposes, let's assume that the IOCTL value we want to use is x8343. We can create a minimal Python code snippet to send a malicious IOCTL request with this value:

import ctypes
from ctypes import windll

kernel32 = windll.kernel32

ioctl_code = x8343
handle = kernel32.CreateFileA("\\\\.\\AsUpIO64.sys", xC, 3, None, 3, , None)
if handle == -1:
    print("Failed to obtain a handle to the driver.")
else:
    in_buffer = (ctypes.c_char * x30)()
    out_buffer = (ctypes.c_char * x30)()
    bytes_returned = ctypes.c_ulong()
    kernel32.DeviceIoControl(handle, ioctl_code, ctypes.addressof(in_buffer),
                              x30, ctypes.addressof(out_buffer),
                              x30, ctypes.byref(bytes_returned), None)

    kernel32.CloseHandle(handle)

This code initializes an IOCTL request with the value x8343, targeting the AsUpIO64.sys component, and sends the request using the DeviceIoControl() function. If the value x8343 triggers the vulnerability, arbitrary code execution with escalated privileges can be achieved.

Exploit Details and Impacts

The impact of CVE-2024-33218 can be severe, as it provides an attacker with the ability to execute arbitrary code with escalated privileges. This could potentially enable attackers to achieve complete control over a system, extract sensitive information or install other malware.

Mitigation Measures

To mitigate this vulnerability, it is important to identify whether your system is using the vulnerable ASUS USB 3. Boost Storage Driver version 5.30.20.. If confirmed, consider taking the below steps:

1. Uninstalling the affected driver and updating to the latest version available from the ASUS website (https://www.asus.com/support/).
2. Restricting driver access/authentication to authorized users only, reducing the risk of unauthorized IOCTL requests.
3. Implementing the principle of least privilege, ensuring that users and applications have only the necessary privileges to perform their tasks, limiting potential malicious actions.

Original References

Here are the original references that announced and provided details about the CVE-2024-33218 vulnerability:

1. CVE-2024-33218 - NIST National Vulnerability Database (NVD)
2. ASUS Website - USB 3. Boost Storage Driver Updates

Conclusion

CVE-2024-33218 is a privilege escalation vulnerability found in the ASUS USB 3. Boost Storage Driver that allows arbitrary code execution by sending malicious IOCTL requests. Understanding the implications of this vulnerability, and taking proactive mitigation measures, such as updating the driver, restricting driver access, and implementing the least privilege principle, can help protect systems from potential exploits.

Timeline

Published on: 05/22/2024 15:15:28 UTC
Last modified on: 08/01/2024 13:51:46 UTC