CVE-2023-41444

Vulnerability

A vulnerability exists in the Binalyze IREC.sys kernel driver, version 3.11.0 and earlier, in the function fun_1400084d0. The driver mishandles IOCTL requests, allowing a low-integrity user-space process to send specially crafted input that triggers an out-of-bounds write or similar memory corruption, leading to arbitrary code execution in kernel context [1].

Exploitation

An attacker with local user access can interact with the \\.\IREC device. By sending a crafted IOCTL code (e.g., IOTCL_IREC_OPEN_PROCESS at 0x80012028) with a controlled buffer, the attacker triggers the vulnerable code path in fun_1400084d0. The provided proof-of-concept code demonstrates opening the device, sending the IOCTL, and exploiting the flaw to execute arbitrary shellcode in kernel mode [1]. No authentication beyond local user access is required.

Impact

Successful exploitation results in full kernel-mode code execution. The attacker can escalate privileges from a local unprivileged process to SYSTEM, enabling them to disable security products, install persistent malware, or access sensitive system data. The vulnerability compromises confidentiality, integrity, and availability [1].

Mitigation

The vendor has not released a public patch for this vulnerability as of the disclosure date (2023-09-28). Users are advised to restrict local access to trusted accounts only, and monitor for updated driver versions from Binalyze. No workaround is available [1].