VU#158530: PCTCore64.sys Windo... Note

VU#158530: PCTCore64.sys Windows kernel driver contains missing access control vulnerability

The PCTCore64.sys Windows kernel driver from PC Tools Internet Security has a significant security vulnerability. This driver exposes a device interface called \.\PCTCoreDriver without proper access control measures in place. Consequently, any user-mode process can interact with this driver and execute privileged IOCTL commands.In a Bring Your Own Vulnerable Driver (BYOVD) scenario, an attacker with the ability to load a Windows driver can exploit this flaw. They can perform sensitive low-level operations on the target system by invoking the driver's exposed interface. The driver lacks secure descriptor application, allowing unprivileged processes to open device handles and send privileged IOCTL requests.This allows attackers to perform actions like enumerating system-wide handles and manipulating handles across processes. Crucially, it enables credential extraction from sensitive processes like lsass.exe. Arbitrary process termination, including protected processes, is also possible.Although PC Tools Internet Security was discontinued in 2013, the driver remains signed and exploitable in BYOVD attacks. This vulnerability facilitates credential theft, disabling security software, and achieving broader system compromise. The impact includes credential theft, denial-of-service, and system compromise.The solution is to remove and block the vulnerable driver, as it is no longer maintained. Organizations should also implement mitigations against BYOVD attacks, such as restricting admin privileges and enabling Windows security features like HVCI and WDAC.