CVE-2025-8061

LnvMSRIO.sys — Lenovo Dispatcher driver exposes unrestricted MSR and physical memory access

Summary

Field	Value
Driver	`LnvMSRIO.sys` (Lenovo Dispatcher 3.0 / 3.1)
Vendor	Lenovo
Vulnerability Class	Insufficient Access Control / Arbitrary MSR R/W / Physical Memory R/W
Exploited ITW	No (multiple public PoCs)
Status	Patched in v3.1.0.41 (September 2025); older versions still loadable

Root Cause

The Lenovo Dispatcher driver exposes IOCTL handlers with no access restrictions. Quarkslab identified four primitives:

MSR read -- read any MSR register, including IA32_LSTAR (0xC0000082) which stores the address of KiSystemCall64, defeating KASLR
MSR write -- overwrite any MSR register
Physical memory read -- map and read arbitrary physical addresses via MmMapIoSpace
Physical memory write -- map and write arbitrary physical addresses

The driver is signed by Lenovo and ships pre-installed on consumer notebooks.

Exploitation

Quarkslab published a two-part exploit series showing full SYSTEM escalation and rootkit capabilities:

Part 1: SYSTEM Escalation

KASLR bypass -- read IA32_LSTAR MSR to leak KiSystemCall64 address, compute kernel base
LSTAR overwrite -- overwrite IA32_LSTAR with address of token-stealing shellcode
Trigger syscall -- any syscall now redirects to the shellcode
Token theft -- shellcode walks _KPCR -> _KTHREAD -> _EPROCESS -> steals SYSTEM token
Restore LSTAR -- immediately restore the original KiSystemCall64 address to prevent BSOD

Part 2: Rootkit

The second blog builds a full kernel rootkit using the same driver primitives: hiding processes, intercepting callbacks, and maintaining persistence.

Exploitation Primitive

IOCTL 0x9c402084 → read IA32_LSTAR MSR → leak KiSystemCall64 → KASLR bypass
  → overwrite IA32_LSTAR with shellcode address
  → next syscall executes token-stealing shellcode
  → restore LSTAR → SYSTEM

Techniques Used

Technique	KernelSight Page
Token Swapping	Token Swapping
KASLR Bypass (MSR leak)	KASLR Bypasses
Direct IOCTL R/W	Direct IOCTL R/W