OK, so everyone seemed to enjoy the last one. Here's another #PrivEsc #ZeroDay :)

This time for the #PotentiallyUnwantedProgram called DriverTalent, also known as DriveTheLife from Shenzhen DriveTheLife Software Technology Co.Ltd

Vendor website is hxxps://160.com in Chinese and hxxps://www.drivethelife.com in English.

To me the vendor is a bad actor. It's a PUP, and the same developers once bundled a mapper driver (send IOCTL with obfuscated unsigned driver PE, it loads it) with most of their products, some of which have been distributed in the past via #PUP bundler networks.

Here's the technical details:

• It installs a service, DevDrvSvc (in the zh-CN version) or LDrvSvc (in the english version), that runs as SYSTEM.
• This service exposes IPC via shared memory (with a semaphore to lock that memory, an event to notify the server that a message is sent, and an event to notify the client that a message was replied to).
• All the objects are created with a security descriptor that has a NULL access control list (so everyone at Medium IL can access them).
• The IPC commands include creating an arbitrary process (where the command line and application name are obfuscated by 1024-byte XOR key) as SYSTEM (in session zero or current session); copying a file as SYSTEM with arbitrary source and destination paths; deleting a file as SYSTEM with arbitrary path.

Latest known vulnerable components are devdrvsvc.dll v1.0.21.616 and LDrvSvc.dll v2.0.8.610.

Uninstallation of this software will prevent exploitation of the issue.

PoC code will fit in a reply.

#0day