Talos Vulnerability Report


IOBit Advanced SystemCare Ultimate exposed IOCTL 0x9c40a148 vulnerability

July 7, 2021
CVE Number



An information disclosure vulnerability exists in the IOCTL 0x9c40a148 handling of IOBit Advanced SystemCare Ultimate A specially crafted I/O request packet (IRP) can lead to a disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.

Tested Versions

IOBit Advanced SystemCare Ultimate

Product URLs


CVSSv3 Score

6.5 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N


CWE-782 - Exposed IOCTL with Insufficient Access Control


IOBit Advanced SystemCare Ultimate provides a solution for keeping track of running services, processes that are using a large amount of memory, software updates, and the ability to update drivers to latest versions.

Advanced SystemCare also provides a monitoring driver to help faciltate its tasks. This driver creates \Device\IOBIT_WinRing0_1_3_0 which is readable and writable to everyone. The driver also provides a callback for handling IRP_MJ_DEVICE_CONTROL requests to the driver.

The driver used in this analysis is below:

Monitor_win10_x64.sys e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb

During IOCTL 0x9c40a148, unprivileged user controlled data is passed to the HalSetBusDataByOffset function. This data is not constrained, giving the unprivileged user the ability to read any I/O device’s configuration and device specific registers. The reading of this information can lead to the disclosure of sensitive information to the user.

    case 0x9C40A148:
      v14 = v4->Parameters.DeviceIoControl.InputBufferLength;
      if ( v14 < 8 )
        v5 = 0xC000000D;
        goto LABEL_65;
      input_buffer_3 = a2->AssociatedIrp.SystemBuffer;
      *(_DWORD *)iostatus_info = 0;
      v5 = v14 - 8 != HalSetBusDataByOffset(
                        (unsigned __int8)BYTE1(*(_DWORD *)input_buffer_3),
                        (32 * (*(_DWORD *)input_buffer_3 & 7)) | ((unsigned __int8)*(_DWORD *)input_buffer_3 >> 3),
                        (char *)input_buffer_3 + 8,
                        *((_DWORD *)input_buffer_3 + 1),
                        v14 - 8) ? 0xE0000003 : 0;


2021-03-10 - Follow up with vendor
2021-04-30 - 2nd follow up with vendor
2021-05-17 - 3rd follow up with vendor
2021-06-27 - Final follow up with vendor
2021-07-07 - Public release


Discovered by Cory Duplantis of Cisco Talos.