Decrement by one to rule them all: AsIO3.sys driver exploitation

June 27, 2025, 7:09 a.m.

Description

The article details the discovery and exploitation of two critical vulnerabilities in the AsIO3.sys driver, used by ASUS Armory Crate and AI Suite applications. The vulnerabilities, a stack-based buffer overflow and an authorization bypass, were found in the IRP_MJ_CREATE handler. The author demonstrates how to bypass the driver's authorization mechanism using hardlinks and develops a fully functional exploit that escalates local user privileges to NT SYSTEM. The exploit leverages a primitive that allows decrementing arbitrary memory values by one, which is used to modify the thread's PreviousMode and ultimately swap the security token with that of the SYSTEM process. The research highlights the importance of proper security design in kernel-mode components and the potential risks of relying on disallowed list approaches for driver functionality restrictions.

Date

  • Created: June 26, 2025, 5:27 p.m.
  • Published: June 26, 2025, 5:27 p.m.
  • Modified: June 27, 2025, 7:09 a.m.

Attack Patterns

Linked vulnerabilities