CVE-2018-19320
Gigabyte gdrv, arbitrary kernel read/write and MSR access via IOCTL
Summary
| Field | Value |
|---|---|
| Driver | gdrv.sys |
| Vendor | Gigabyte |
| Vulnerability Class | Arbitrary R/W / Physical Memory Mapping |
| Abused Version | Multiple versions shipped with Gigabyte App Center |
| Status | Blocklisted — included in Microsoft Vulnerable Driver Blocklist |
| Exploited ITW | Yes |
The Story
Gigabyte App Center is a system management utility bundled with Gigabyte motherboards, providing monitoring, BIOS flashing, and hardware configuration. Its kernel component, gdrv.sys, gives the utility low-level hardware access through IOCTLs for physical memory read/write via MmMapIoSpace, MSR read/write, and I/O port access. The device object has permissive ACLs, and no privilege checks are performed on any IOCTL.
Amit Moshel disclosed the vulnerability, and it was subsequently detailed on the seclists Full Disclosure mailing list. What made this driver historically significant was its use by the RobbinHood ransomware operation. RobbinHood used gdrv.sys as part of a BYOVD chain to disable antivirus products before deploying ransomware, making it one of the earlier documented cases of ransomware groups adopting the BYOVD technique in production operations. This case helped establish the pattern that would later become commonplace: ransomware operators using signed vendor drivers as a standard step in their deployment playbook.
BYOVD Context
- Driver signing: Authenticode-signed by Giga-Byte Technology with valid certificate
- Vulnerable Driver Blocklist: Included in Microsoft's recommended driver block rules
- HVCI behavior: Blocked on HVCI-enabled systems via the blocklist
- KDU integration: Integrated as a KDU provider
- LOLDrivers: Listed at loldrivers.io
Affected IOCTLs
- Arbitrary physical memory read via MmMapIoSpace
- Arbitrary physical memory write via MmMapIoSpace
- MSR read/write (RDMSR/WRMSR)
- I/O port access
How It Gets Exploited
The exploitation path is the standard vendor utility BYOVD pattern. The attacker deploys and loads gdrv.sys on the target system, opens a handle to the device, and uses the physical memory read/write IOCTLs to walk page tables and locate kernel structures. Overwriting the process token with the SYSTEM token completes the escalation.
In the RobbinHood campaign, the chain went further. After achieving kernel access, the operators used it to disable AV kernel callbacks and terminate security product processes, clearing the way for ransomware deployment. The entire sequence, from driver load to ransomware execution, was automated.
Detection
YARA Rule
rule CVE_2018_19320_gdrv {
meta:
description = "Detects Gigabyte gdrv.sys vulnerable driver"
cve = "CVE-2018-19320"
author = "KernelSight"
severity = "critical"
strings:
$mz = { 4D 5A }
$driver_name = "gdrv" wide ascii nocase
$gigabyte = "Giga-Byte" wide ascii
condition:
$mz at 0 and ($driver_name or $gigabyte)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of gdrv.sys |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Service creation for gdrv.sys |
| Sysmon | Event ID 6 — Driver loaded | Captures hash and signature |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation token swap |
Behavioral Indicators
- Loading of
gdrv.sysoutside of Gigabyte App Center installation directory - Physical memory read/write IOCTL sequences from non-Gigabyte processes
- Service creation for a Gigabyte driver by a non-Gigabyte utility
- Process privilege escalation following gdrv.sys driver interaction
Broader Significance
CVE-2018-19320 marks one of the first documented cases of ransomware operators adopting BYOVD as a standard operational technique. The RobbinHood campaign demonstrated that BYOVD is not just a theoretical concern or a red team tool; it is a practical technique used by financially motivated threat actors at scale. After RobbinHood, the use of signed vulnerable drivers became a routine step in ransomware playbooks, appearing in campaigns by BlackByte, Cuba, and many others.