CVE-2021-44852

Vulnerability

The vulnerability resides in the BS_RCIO64.sys driver installed by Biostar RACING GT Evo version 2.1.1905.1700. The device object is created with an insufficient DACL, allowing any process, including low-integrity ones, to open it. The driver exposes three vulnerable IOCTL codes: 0x226040 (arbitrary physical memory read), 0x226044 (arbitrary physical memory write), and 0x226000 (arbitrary call to a user-supplied address). [1]

Exploitation

An attacker with low integrity (e.g., from a sandbox or limited user account) can open the device object \\.\BS_RCIO and send crafted IOCTL requests. For arbitrary code execution via IOCTL 0x226000, the first 8 bytes of the input buffer are treated as a function pointer and called with three arguments (likely from subsequent bytes). The driver does not validate the pointer, allowing an attacker to redirect execution to any address. [1]

Impact

Successful exploitation gives the attacker the ability to read and write arbitrary physical memory and execute arbitrary code at the kernel level. This can lead to complete compromise of the system, including privilege escalation to NT AUTHORITY\SYSTEM, installation of rootkits, and data exfiltration. [1]

Mitigation

As of the publication date, Biostar has not released a patched driver or utility. The affected version 2.1.1905.1700 remains in use. Mitigation involves removing the driver (BS_RCIO64.sys) or restricting access to the device object \\.\BS_RCIO by modifying its DACL or using a security tool. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]