Decrement by one to rule them all AsIO3.sys driver exploitation

Source: Cisco Talos

Excerpt:

Armory Crate and AI Suite are applications used to manage and monitor ASUS motherboards and related components such as the processor, RAM or the increasingly popular RGB lighting. These types of applications often install drivers in the system, which are necessary for direct communication with hardware to configure settings or retrieve critical parameters such as CPU temperature, fan speeds, and firmware updates.

It is critical to ensure that drivers are well-written with security in mind and designed such that access to the driver interfaces is limited only to certain services and administrators.

During the audit of the code and components related to the aforementioned applications, Cisco Talos discovered two critical vulnerabilities in the AsIO3.sys driver. Both vulnerabilities were discovered in the IRP_MJ_CREATE handler:

• CVE-2025-1533/TALOS-2025-2144 – Asus Armoury Crate AsIO3.sys stack-based buffer overflow vulnerability
• CVE-2025-3464/TALOS-2025-2150 – Asus Armoury Crate AsIO3.sys authorization bypass vulnerability

The first vulnerability is a stack-based buffer overflow that occurs during the process’s ImagePath conversion from “Win32 Path” to “NT Namespace Path”.

The second vulnerability allowed bypassing the authorization mechanism implemented in the driver, granting access to its functionality not just to the intended service but to any user. With access to a security-critical function within this driver, I successfully developed a fully working exploit that escalates local user privileges to “NT SYSTEM”, which we describe in detail below…

To read the complete article see: Decrement by one to rule them all: AsIO3.sys driver exploitation