Published: 11/09/2019 Updated: 21/07/2021

CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 643

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.

Vulnerable Product	Search on Vulmon	Subscribe to Product
msi afterburner 4.6.2.15658

EDRSandBlast EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections Multiple userland unhooking techniques are also implemented to evade userland monitoring As of release, combination of userland (--usermode) and Kernel-land (--kernelmode) tec

EDRSandblast-GodFault

EDRSandblast-GodFault By Gabriel Landau at Elastic Security Modification of EDRSandblast - see original README below Integrates GodFault into EDR Sandblast, achieving the same result without the use of any vulnerable drivers Example Output C:\Users\user\Desktop\Offsets>EDRSandblastexe --kernelmode cmd ______ _____ _____ _____ _ _ _

CVE-2019-16098 This CVE exploits the RTCore64sys driver and creates a cmdexe process with system privileges by copying the token of the System process with one of the low-privilege cmdexe process Blog about the approach and the methodology can be found here

Wild Angel Swarm - Windows 10 botnet

Wild Angel Swarm Botnet targeting Windows 10 Sources wwwiredteam githubcom/TheCruZ/kdmapper githubcom/Barakat/CVE-2019-16098 githubcom/hfiref0x/KDU githubcom/n00bk1t/n00bk1t wwwgeoffchappellcom

Kernel-Snooping Main: mediumcom/@VL1729_JustAT3ch Removing Process Creation Kernel Callbacks: Targeting EDR registered callbacks for Process creation(PsSetCreateProcessNotifyRoutine) External componenets used: vulnerable driver MSI Afterburner RTCore64 (CVE-2019–16098) is used Notes: Currently no built in functionality provided for loading the driver since th

CYBERSEC 2023 BYOVD Demo Description This demo is a presentation at the CYBERSEC 2023 in Taiwan The presentation showcases the abuse of RTCore64sys (CVE-2019-16098) from MSI and the nullification of the DSE flag to load a malicious unsigned driver The presentation also demonstrates an attack on 360 Total Security by nulling out its ObRegisterCallbacks, enabling the execution

Local privilege escalation PoC exploit for CVE-2019-16098

CVE-2019-16098 The driver in Micro-Star MSI Afterburner 46215658 (aka RTCore64sys and RTCore32sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs This can be exploited for privilege escalation, code execution under high privileges, and information disclosure These signed drivers can also be used to bypass the Microsoft driver-sig

CWE-125 CWE-787 https://github.com/Barakat/CVE-2019-16098 https://nvd.nist.gov https://github.com/wavestone-cdt/EDRSandblast https://github.com/gabriellandau/EDRSandblast-GodFault

CVE-2019-16098

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect