Decrement by one to rule them all: AsIO3.sys driver exploitation

SUMMARY :

The article details the discovery and exploitation of two critical vulnerabilities in the AsIO3.sys driver, used by ASUS Armory Crate and AI Suite applications. The vulnerabilities, a stack-based buffer overflow and an authorization bypass, were found in the IRP_MJ_CREATE handler. The author demonstrates how to bypass the driver's authorization mechanism using hardlinks and develops a fully functional exploit that escalates local user privileges to NT SYSTEM. The exploit leverages a primitive that allows decrementing arbitrary memory values by one, which is used to modify the thread's PreviousMode and ultimately swap the security token with that of the SYSTEM process. The research highlights the importance of proper security design in kernel-mode components and the potential risks of relying on disallowed list approaches for driver functionality restrictions.

OPENCTI LABELS :

windows,vulnerability,privilege escalation,asus,driver exploitation,kernel exploitation,asio3.sys,cve-2025-1533,cve-2025-3464


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Decrement by one to rule them all: AsIO3.sys driver exploitation