CVE-2023-1676
DriverGenius mydrivers64, arbitrary MSR write and physical memory R/W via IOCTL
Summary
| Field | Value |
|---|---|
| Driver | mydrivers64.sys |
| Vendor | DriverGenius (drivergenius.com) |
| Vulnerability Class | Arbitrary R/W / MSR Write / Physical Memory Mapping |
| Abused Version | 9.2.707.1214 (DriverGenius 9.70.0.346) |
| Status | Still loadable — not widely blocklisted |
| Exploited ITW | No |
The Story
DriverGenius is a driver management and system information utility, and its kernel component mydrivers64.sys follows a familiar pattern: it provides hardware access for system inventory and driver detection, and in doing so, exposes IOCTLs that give any user on the system the ability to write arbitrary MSRs and access arbitrary physical memory.
What makes this case notable is the sheer number of CVEs from a single driver. zeze-zeze reported four distinct vulnerabilities: CVE-2023-1676 (arbitrary MSR write), CVE-2023-1679 (physical memory read/write), CVE-2023-1677 (NULL pointer dereference), and CVE-2023-1678 (another NULL pointer dereference). The MSR write and physical memory access are the exploitable ones; the NULL dereferences are denial-of-service.
The driver is not widely blocklisted, making it a potentially useful BYOVD candidate for attackers who want to avoid the better-known drivers that trigger Defender alerts.
BYOVD Context
- Driver signing: Authenticode-signed by DriverGenius with valid certificate
- Vulnerable Driver Blocklist: Not included in Microsoft's recommended driver block rules
- HVCI behavior: May load on HVCI-enabled systems if not hash-blocked
- KDU integration: Not integrated
- LOLDrivers: Not widely listed
Affected IOCTLs
0x9C402088— Arbitrary MSR write (WRMSR) with user-controlled register index and value0x9C406104— Physical memory read at user-controlled address0x9C40A108— Physical memory write at user-controlled address
Two Exploitation Paths
MSR-based kernel execution (CVE-2023-1676)
The MSR write IOCTL (0x9C402088) calls __writemsr with user-controlled register index and value parameters. The standard attack: write to IA32_LSTAR (MSR 0xC0000082) to redirect the syscall entry point, then trigger a syscall to execute attacker-controlled code in ring 0. The zeze-zeze PoC includes both writemsr.cpp (raw MSR write) and ArbitraryKernelExecution.cpp (full msrexec-based kernel code execution).
Physical memory access (CVE-2023-1679)
IOCTLs 0x9C406104 and 0x9C40A108 provide arbitrary physical memory read and write respectively. The driver maps physical memory at user-controlled addresses without range validation. The PoC (ReadWriteArbitraryPhysicalMemory.cpp) demonstrates reading physical address 0x0 and writing 0xdeadbeef to confirm the arbitrary access. From there, page table walking and EPROCESS token swapping follow the standard BYOVD pattern.
Detection
YARA Rule
rule CVE_2023_1676_mydrivers64 {
meta:
description = "Detects DriverGenius mydrivers64.sys vulnerable driver"
cve = "CVE-2023-1676"
author = "KernelSight"
severity = "critical"
strings:
$mz = { 4D 5A }
$driver_name = "mydrivers64" wide ascii nocase
$drivergenius = "DriverGenius" wide ascii nocase
$mydriver = "mydrivers" wide ascii
condition:
$mz at 0 and ($driver_name or $drivergenius or $mydriver)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of mydrivers64.sys |
| Sysmon | Event ID 6 — Driver loaded | Hash and signature capture |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Service creation for DriverGenius driver |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation token swap |
Behavioral Indicators
- Loading of
mydrivers64.sysfrom outside DriverGenius installation directory - IOCTL
0x9C402088(MSR write) from non-DriverGenius processes, especially targeting IA32_LSTAR - Physical memory R/W IOCTLs (
0x9C406104,0x9C40A108) from unknown processes - Service creation for DriverGenius driver by a non-DriverGenius utility
- Privilege escalation following mydrivers64 driver interaction
Broader Significance
mydrivers64.sys is a case study in the long tail of BYOVD. While well-known drivers like RTCore64 and DBUtil are blocklisted and trigger Defender alerts, less prominent drivers from smaller vendors remain available for exploitation. The absence of mydrivers64.sys from the Vulnerable Driver Blocklist means attackers can deploy it without triggering the standard blocklist defenses. For defenders, this highlights the limitation of hash-based blocklists: they can only block drivers that have been cataloged, and the universe of signed vulnerable drivers extends far beyond the well-known examples.