CVE-2023-41444
iREC.sys — arbitrary kernel read/write via IOCTL
Summary
| Field | Value |
|---|---|
| Driver | iREC.sys |
| Vendor | iREC |
| Vulnerability Class | Arbitrary R/W / IOCTL Access Control |
| Abused Version | 1.0.0.0 |
| Status | Still loadable — not widely blocklisted |
| Exploited ITW | No |
BYOVD Context
- Driver signing: Authenticode-signed with valid certificate
- Vulnerable Driver Blocklist: Not included in Microsoft's recommended driver block rules
- HVCI behavior: May load on HVCI-enabled systems
- KDU integration: Not integrated
- LOLDrivers: Listed at loldrivers.io
Affected IOCTLs
- Arbitrary kernel virtual memory read
- Arbitrary kernel virtual memory write
- Physical memory mapping
Root Cause
iREC.sys is a kernel driver that exposes IOCTLs providing direct kernel memory read/write capabilities. The driver accepts user-controlled addresses and performs memory operations without access control validation. The device object is created with permissive security descriptors.
dru1d.ninja published a detailed exploit development writeup demonstrating the vulnerability discovery and exploitation methodology.
Exploitation
The arbitrary R/W IOCTLs allow direct kernel memory access:
- Load the signed
iREC.sysdriver - Open a device handle
- Use read IOCTL to locate EPROCESS structures
- Use write IOCTL to swap the current process token with SYSTEM token
- Achieve privilege escalation
Detection
YARA Rule
rule CVE_2023_41444_iREC {
meta:
description = "Detects iREC.sys vulnerable driver"
cve = "CVE-2023-41444"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "iREC" wide ascii nocase
$irec_sys = "iREC.sys" wide ascii
condition:
$mz at 0 and ($driver_name or $irec_sys)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of iREC.sys |
| Sysmon | Event ID 6 — Driver loaded | Hash and signature capture |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Driver service creation |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation token swap |
Behavioral Indicators
- Loading of
iREC.sysfrom a non-standard path - Kernel memory read/write IOCTL patterns from unknown processes
- Token swap following iREC driver interaction