CVE-2019-16098
MSI RTCore64 — physical memory R/W, MSR access, and I/O port access via IOCTL
Summary
| Field | Value |
|---|---|
| Driver | RTCore64.sys |
| Vendor | MSI (Micro-Star International) |
| Vulnerability Class | Arbitrary R/W / Physical Memory Mapping |
| Abused Version | 4.6.2 (shipped with MSI Afterburner) |
| Status | Blocklisted — included in Microsoft Vulnerable Driver Blocklist |
| Exploited ITW | Yes |
BYOVD Context
- Driver signing: Authenticode-signed by Micro-Star International with valid certificate
- Vulnerable Driver Blocklist: Included in Microsoft's recommended driver block rules
- HVCI behavior: Blocked on HVCI-enabled systems via the blocklist
- KDU integration: Integrated as a KDU provider (one of the earliest)
- LOLDrivers: Listed at loldrivers.io with multiple hash variants
Affected IOCTLs
0x80002048— Read physical memory (MmMapIoSpace)0x8000204C— Write physical memory (MmMapIoSpace)0x80002050— Read MSR (RDMSR)0x80002054— Write MSR (WRMSR)0x80002058— Read I/O port (IN)0x8000205C— Write I/O port (OUT)
Root Cause
RTCore64.sys is the kernel-mode driver for MSI Afterburner, a popular GPU overclocking and monitoring utility. The driver provides hardware access for reading GPU temperatures, adjusting fan speeds, and modifying GPU clock settings. To accomplish this, it exposes IOCTLs for direct physical memory access (via MmMapIoSpace), MSR read/write (via RDMSR/WRMSR), and I/O port access (via IN/OUT instructions).
The driver's device object (\Device\RTCore64) is created without restrictive ACLs, allowing any user to open a handle. Each IOCTL accepts user-controlled address/offset and size parameters without any validation or restriction. The physical memory R/W IOCTLs call MmMapIoSpace with the user-supplied physical address, map it to a kernel virtual address, perform the copy, and unmap — effectively providing arbitrary physical memory access.
Exploitation
The physical memory R/W IOCTLs provide direct arbitrary access to all physical memory. The typical exploitation flow:
- Load
RTCore64.sysand open\\.\RTCore64 - Use the physical memory read IOCTL to scan physical memory for the kernel base or known structures
- Translate virtual addresses to physical using the page table hierarchy (also readable via the physical memory IOCTL)
- Locate the current process's EPROCESS structure
- Copy the SYSTEM process token and overwrite the current process's token
- Alternatively, use MSR write to redirect syscalls (write to IA32_LSTAR) for code execution
Barakat's PoC (GitHub) demonstrates the straightforward exploitation. The swapcontext blog "Unwinding RTCore" provides detailed reverse engineering of the IOCTL dispatch.
BlackByte ransomware used RTCore64.sys to disable EDR kernel callbacks before deploying ransomware. Cuba ransomware also leveraged this driver.
Detection
YARA Rule
rule CVE_2019_16098_RTCore64 {
meta:
description = "Detects MSI RTCore64.sys vulnerable driver"
cve = "CVE-2019-16098"
author = "KernelSight"
severity = "critical"
strings:
$mz = { 4D 5A }
$driver_name = "RTCore64" wide ascii nocase
$device = "\\Device\\RTCore64" wide ascii
$msi = "Micro-Star" wide ascii
condition:
$mz at 0 and $driver_name and ($device or $msi)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of RTCore64.sys from non-standard paths |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Service creation for RTCore64.sys driver |
| Sysmon | Event ID 6 — Driver loaded | Captures driver hash and signature info |
| Microsoft-Windows-Kernel-Process | Process token modification | Token swap after exploitation |
Behavioral Indicators
- Loading of
RTCore64.sysfrom a path unrelated to MSI Afterburner installation DeviceIoControlcalls with IOCTL codes0x80002048–0x8000205Cfrom non-MSI processes- Rapid physical memory read operations spanning the kernel address range
- Process escalation to SYSTEM following RTCore64 driver load and IOCTL activity
- EDR callback zeroing observed after RTCore64 driver interaction (BlackByte pattern)