Skip to content

CVE-2019-8372

LG Device Manager LHA — arbitrary kernel write via insufficient IOCTL validation

Summary

Field Value
Driver LG LSB driver (lha.sys / LgCoreTemp.sys)
Vendor LG Electronics
Vulnerability Class Arbitrary Write / IOCTL Access Control
Abused Version Various versions shipped with LG Device Manager
Status Withdrawn — driver removed from LG software
Exploited ITW No

BYOVD Context

  • Driver signing: Authenticode-signed by LG Electronics with valid certificate
  • Vulnerable Driver Blocklist: Not included in Microsoft's recommended driver block rules
  • HVCI behavior: May load on HVCI-enabled systems if not hash-blocked
  • KDU integration: Not integrated
  • LOLDrivers: Listed at loldrivers.io

Affected IOCTLs

  • Arbitrary kernel memory write via IOCTL with user-controlled address and value

Root Cause

The LG Device Manager ships a kernel driver that provides hardware access for laptop management features (temperature monitoring, power management). The driver exposes an IOCTL that allows writing to arbitrary kernel memory addresses. The user-supplied buffer contains a target address and value, and the driver writes the value to the address without any validation.

Jackson Thuraisamy documented the vulnerability discovery in detail at jackson-t.ca, demonstrating how the IOCTL could be used for local privilege escalation.

Exploitation

The arbitrary write primitive allows:

  1. Open the device handle (permissive ACLs)
  2. Send the write IOCTL with a target kernel address and desired value
  3. Overwrite the PreviousMode field of the current thread to KernelMode
  4. Use NtReadVirtualMemory/NtWriteVirtualMemory for full arbitrary R/W
  5. Perform token swap for SYSTEM escalation

Detection

YARA Rule

rule CVE_2019_8372_LG_Driver {
    meta:
        description = "Detects LG LSB vulnerable driver"
        cve = "CVE-2019-8372"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $lha = "lha.sys" wide ascii nocase
        $lg_core = "LgCoreTemp" wide ascii nocase
        $lg = "LG Electronics" wide ascii
    condition:
        $mz at 0 and ($lha or $lg_core or $lg)
}

ETW Indicators

Provider Event / Signal Relevance
Microsoft-Windows-Kernel-File Driver load event Detects loading of LG driver
Sysmon Event ID 6 — Driver loaded Hash and signature capture
Microsoft-Windows-Security-Auditing Event 4697 — Service installed Driver service creation
Microsoft-Windows-Kernel-Process Process token modification Post-exploitation token swap

Behavioral Indicators

  • Loading of LG kernel driver outside of LG Device Manager installation
  • Arbitrary write IOCTL calls from non-LG processes
  • PreviousMode modification on the current thread following IOCTL interaction
  • Privilege escalation from medium to SYSTEM integrity after driver interaction

References