VU#639124: Multiple local privilege escalation vulnerabilities in Little Orbits GameFirst Anti-Cheat
The GamersFirst Anti-Cheat driver, GFAC.sys, suffers from critical security flaws. These vulnerabilities allow local attackers to escalate privileges and cause denial-of-service conditions. The issues stem from the driver's insecure handling of user-controlled input via a minifilter communication port. A NULL pointer dereference in the initialization and request handling logic can lead to system crashes. Additionally, the minifilter communication port lacks sufficient security descriptors, enabling low-privileged users to connect. This allows them to access functions not intended for them. The driver also fails to validate user-supplied memory addresses during write operations. This enables arbitrary kernel memory writes, a "write-what-where" condition. Exploiting this can lead to privilege escalation to SYSTEM by modifying critical operating system structures. The vendor was unresponsive regarding these disclosed vulnerabilities. Users are advised to restrict local access and monitor for suspicious activity involving GFAC. Disabling or removing games that use GFAC is recommended until a patch is released.