CVE-2018-19320

Gigabyte gdrv — arbitrary kernel read/write and MSR access via IOCTL

Summary

Field	Value
Driver	gdrv.sys
Vendor	Gigabyte
Vulnerability Class	Arbitrary R/W / Physical Memory Mapping
Abused Version	Multiple versions shipped with Gigabyte App Center
Status	Blocklisted — included in Microsoft Vulnerable Driver Blocklist
Exploited ITW	Yes

BYOVD Context

• Driver signing: Authenticode-signed by Giga-Byte Technology with valid certificate
• Vulnerable Driver Blocklist: Included in Microsoft's recommended driver block rules
• HVCI behavior: Blocked on HVCI-enabled systems via the blocklist
• KDU integration: Integrated as a KDU provider
• LOLDrivers: Listed at loldrivers.io

Affected IOCTLs

• Arbitrary physical memory read via MmMapIoSpace
• Arbitrary physical memory write via MmMapIoSpace
• MSR read/write (RDMSR/WRMSR)
• I/O port access

Root Cause

gdrv.sys is a kernel driver shipped with Gigabyte App Center, a system management utility bundled with Gigabyte motherboards. The driver provides low-level hardware access for motherboard monitoring, BIOS flashing, and system configuration. It exposes multiple IOCTLs that allow arbitrary physical memory read/write via MmMapIoSpace, MSR read/write via RDMSR/WRMSR, and I/O port access.

The driver creates its device object with permissive ACLs, allowing any user to open a handle. No privilege checks are performed on any IOCTL. The vulnerability was disclosed by Amit Moshel and subsequently detailed on seclists Full Disclosure.

Exploitation

Exploitation follows the standard vendor utility BYOVD pattern:

1. Deploy and load gdrv.sys on the target system
2. Open a handle to the device
3. Use physical memory R/W IOCTLs to walk page tables and locate kernel structures
4. Overwrite process token for privilege escalation

RobbinHood ransomware notably used gdrv.sys as part of a BYOVD chain to disable AV products and deploy ransomware. The attack was documented as one of the earlier high-profile ransomware BYOVD operations.

Detection

YARA Rule

rule CVE_2018_19320_gdrv {
    meta:
        description = "Detects Gigabyte gdrv.sys vulnerable driver"
        cve = "CVE-2018-19320"
        author = "KernelSight"
        severity = "critical"
    strings:
        $mz = { 4D 5A }
        $driver_name = "gdrv" wide ascii nocase
        $gigabyte = "Giga-Byte" wide ascii
    condition:
        $mz at 0 and ($driver_name or $gigabyte)
}

ETW Indicators

Provider	Event / Signal	Relevance
Microsoft-Windows-Kernel-File	Driver load event	Detects loading of gdrv.sys
Microsoft-Windows-Security-Auditing	Event 4697 — Service installed	Service creation for gdrv.sys
Sysmon	Event ID 6 — Driver loaded	Captures hash and signature
Microsoft-Windows-Kernel-Process	Process token modification	Post-exploitation token swap

Behavioral Indicators

• Loading of gdrv.sys outside of Gigabyte App Center installation directory
• Physical memory read/write IOCTL sequences from non-Gigabyte processes
• Service creation for a Gigabyte driver by a non-Gigabyte utility
• Process privilege escalation following gdrv.sys driver interaction

References

• seclists Full Disclosure
• Talos Intelligence
• LOLDrivers — gdrv