Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-20564 PoC — AMD Ryzen Master 输入验证错误漏洞

Source
https://github.com/NtGabrielGomes/CVE-2023-20564
Associated Vulnerability
Title:AMD Ryzen Master 输入验证错误漏洞 (CVE-2023-20564)
Description:AMD Ryzen Master是美国超威半导体(AMD)公司的一款用于管理和调整 AMD Ryzen 处理器性能的软件工具。 AMD Ryzen Master存在安全漏洞,该漏洞源于输入缓冲区验证不充分,可能会允许特权攻击者执行内存读取和写入从而可能导致机密性丢失。
Description
PoC for AMD Ryzen driver.
Readme
# CVE-2023-20564 - AMD Ryzen Master Driver Physical Memory Access PoC

[![CVSS](https://img.shields.io/badge/CVSS-8.8-red)](https://nvd.nist.gov/vuln/detail/CVE-2023-20564)
[![Platform](https://img.shields.io/badge/Platform-Windows-blue)]()

## Overview

This repository contains a **Proof of Concept (PoC)** demonstrating the vulnerability **CVE-2023-20564** in AMD Ryzen Master Driver. The vulnerability allows unprivileged users to read and write arbitrary physical memory, leading to potential privilege escalation and system compromise.

## ⚠️ Disclaimer

**This code is for educational and research purposes only.**
- Do not use this on systems you do not own
- The author is not responsible for any damage or misuse
- This is intended for security researchers and penetration testers
- Use only in controlled environments with proper authorization

## Vulnerability Details

- **CVE ID**: CVE-2023-20564
- **CVSS Score**: 8.8 (High)
- **Vendor**: AMD
- **Product**: AMD Ryzen Master Driver
- **Affected Versions**: Multiple versions of AMD Ryzen Master software
- **Impact**: Physical memory read/write access leading to privilege escalation

### Technical Description

The AMD Ryzen Master driver (`AMDRyzenMasterDriverV17.sys`) contains insufficient validation in its IOCTL handlers, specifically:

- **Read IOCTL**: `0x81112F08` - Allows reading arbitrary physical memory
- **Write IOCTL**: `0x81112F0C` - Allows writing arbitrary physical memory

The driver fails to properly validate:
1. Physical memory addresses
2. Size boundaries
3. Protected memory regions

This allows malicious applications to:
- Read sensitive kernel data structures
- Modify critical system components
- Bypass Windows kernel protections
- Achieve arbitrary code execution in kernel mode

## Features

- **Physical Memory Read**: Read arbitrary physical memory addresses
- **Physical Memory Write**: Write data to arbitrary physical memory addresses
- **Driver Service Management**: Automatic installation/removal of vulnerable driver
- **Data Verification**: Read-Write-Verify sequence to confirm operations
- **Multiple Size Testing**: Test different data sizes (1-64 bytes)
- **Error Handling**: Comprehensive error reporting and debugging

## Requirements

### System Requirements
- Windows 10/11 (x64)
- Administrator privileges
- Visual Studio 2019/2022 or compatible C++ compiler

### Files Needed
- `AMDRyzenMasterDriverV17.sys` - The vulnerable driver file
- Source code from this repository

## Installation & Usage

### 1. Clone Repository
```bash
git clone https://github.com/NtGabrielGomes/CVE-2023-20564.git
cd CVE-2023-20564
```

### 2. Compile the PoC
```batch
# Using Visual Studio

# Or manually
g++ -std=c++17 poc_demo.cpp -o poc_demo.exe -ladvapi32
```

### 3. Run the PoC
```batch
# Run as Administrator
poc_demo.exe

# To remove the driver after testing
poc_demo.exe remove
```

## Code Structure

```
├── poc_demo.cpp           # Main PoC implementation
├── README.md              # This file
└── LICENSE                # License file
```

### Key Components

#### Memory Structures
```cpp
typedef struct _AMDReadStructure {
    LARGE_INTEGER PhysAddr;     // Physical address to read
    LARGE_INTEGER SizeAndData;  // Size and data buffer
    CHAR Buffer[1];             // Variable data buffer
} AMDReadStructure, *PAMDReadStructure;
```

#### Core Functions
- `ReadPhysicalMemory()` - Read from physical memory
- `WritePhysicalMemory()` - Write to physical memory
- `TestReadWriteVerify()` - Complete test sequence
- `InstallDriverService()` - Driver installation
- `StopAndRemoveDriverService()` - Driver cleanup

## Example Output

```
===========================================
  AMD Ryzen Master Driver - Memory PoC    
===========================================

[*] Installing and starting driver service...
[+] Driver file found
[+] Service created successfully
[+] Service started successfully

[*] Initializing driver connection...
[+] Driver connection established successfully

[!] TESTING READ/WRITE/VERIFY SEQUENCE

[STEP 1] Reading original data...
[*] Reading 8 bytes from physical address 0x100000
[*] PHYSICAL MEMORY READ SUCCESS!
    Read 8 bytes from 0x100000
    Data: 4D 5A 90 00 03 00 00 00

[STEP 2] Writing test data...
[*] Writing 8 bytes to physical address 0x100000
    Data: DE AD BE EF CA FE BA BE
[*] PHYSICAL MEMORY WRITE SUCCESS!
    Wrote 8 bytes to 0x100000

[STEP 3] Verifying written data...
[*] Reading 8 bytes from physical address 0x100000
[*] PHYSICAL MEMORY READ SUCCESS!
    Data: DE AD BE EF CA FE BA BE

[*] DATA VERIFICATION SUCCESS! Write/Read works correctly!
```

## Technical Analysis

### IOCTL Handler Analysis

The vulnerable driver exposes two main IOCTLs:

1. **Physical Memory Read (`0x81112F08`)**
   - Input: Physical address + size
   - Output: Memory content at specified address
   - No validation of address ranges

2. **Physical Memory Write (`0x81112F0C`)**
   - Input: Physical address + size + data
   - Output: None
   - No validation of protected memory regions

### Exploitation Techniques

This PoC can be extended for:
- **Token Stealing**: Modify process tokens for privilege escalation
- **KASLR Bypass**: Read kernel structures to defeat randomization
- **Driver Signature Bypass**: Modify kernel variables controlling signature checks
- **Process Protection Bypass**: Remove process protection flags

## Mitigation

### For Users
1. **Update AMD Ryzen Master** to the latest version
2. **Uninstall** if not needed
3. **Monitor** for unauthorized driver installations

### For Developers
1. **Input Validation**: Validate all IOCTL parameters
2. **Address Range Checks**: Verify physical addresses are in allowed ranges
3. **Size Limitations**: Implement maximum size restrictions
4. **Security Reviews**: Regular code audits for similar issues
   
## References

- [CVE-2023-20564 - MITRE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20564)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2023-20564)
- [AMD Security Advisory](https://www.amd.com/en/corporate/product-security)
- [Windows Driver Security Best Practices](https://docs.microsoft.com/en-us/windows-hardware/drivers/driversecurity/)

## Contributing

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Submit a pull request

## Credits

- **Vulnerability Discovery**: **@T0k1To** and **NtGabrielGomes** 

---

**Remember**: This tool is for authorized security testing only. Always obtain proper permission before testing on any system.
File Snapshot

 [4.0K]  /data/pocs/6854fa2817c0892a290a92a7b13efc74b2df87a7
├── [ 14K]  poc.cpp
└── [6.4K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.