CVE-2019-16098
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.
Analysis
The MSI Afterburner driver (RTCore64.sys/RTCore32.sys) version 4.6.2.15658 allows any authenticated Windows user to read and write arbitrary memory, I/O ports, and MSRs. This signed driver is abused as a Bring Your Own Vulnerable Driver (BYOVD) vector for privilege escalation, security product bypass, and kernel-level code execution.
Technical Context
The RTCore64.sys (64-bit) and RTCore32.sys (32-bit) drivers expose IOCTL handlers that allow any authenticated user to read/write arbitrary physical and virtual memory, access I/O ports, and read/write MSRs. Being legitimately signed by Micro-Star International, the driver passes Windows Driver Signature Enforcement. Attackers load this driver to gain kernel read/write primitives without needing their own signed driver.
Affected Products
['MSI Afterburner 4.6.2.15658', 'RTCore64.sys / RTCore32.sys driver']
Remediation
Implement Windows Defender Application Control (WDAC) or other driver blocklist policies that include RTCore64.sys/RTCore32.sys hash values. Enable Vulnerable Driver Block List via Windows Security. Monitor for loading of known vulnerable drivers using ETW or Sysmon driver load events. Deploy Hypervisor-protected Code Integrity (HVCI).
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today