CVE-2021-44900

Vulnerability

Multiple privilege escalation vulnerabilities exist in the Micro-Star International (MSI) App Player versions ≤ 4.280.1.6309, specifically in the NTIOLib_X64.sys and BstkDrv_msi2.sys driver components. All flaws are triggered by sending specific IOCTL requests to these drivers [2]. The NTIOLib_X64.sys driver contains functions that directly interact with physical memory via MmMapIoSpace and can read/write Model-Specific Registers (MSRs) using __readmsr/__writemsr [2]. These operations are normally restricted to high-privilege contexts.

Exploitation

An attacker with low-privileged user access on the system can exploit these vulnerabilities by sending specially crafted IOCTL requests to the vulnerable drivers [1]. No additional authentication or user interaction beyond local system access is required. The attacker can directly map physical memory into user space and manipulate MSRs, bypassing typical access controls [2].

Impact

Successful exploitation allows a low-privileged attacker to elevate privileges to NT AUTHORITY\SYSTEM, gaining full control over the system [2]. The attacker can read and write arbitrary physical memory and MSRs, enabling them to disable security features, modify kernel data, or execute arbitrary code at the highest privilege level [1].

Mitigation

As of the publication date (2022-02-04), no official patch has been released for MSI App Player versions ≤ 4.280.1.6309. Users should check for driver updates from MSI and consider removing or restricting access to the vulnerable drivers (NTIOLib_X64.sys, BstkDrv_msi2.sys) until a fix is provided [2]. This vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog.