CVE-2020-9453 & CVE-2020-9014 - Multiple IOCTL DOS Bugs in Epson’s iProjection V2.30 Drivers

Multiple vulnerabilities have been discovered within the Epson iProjection v2.30 software provided by EPSON. These vulnerabilities also have the potential to be weaponized and turned into privilege escalation exploits (EOP) which may allow an attacker(s) to obtain higher-level privileges on an unpatched system. The current stage of the produced proof-of-concept exploits is a POC that simply sends data to the various IOCTLs which invokes a BSOD crash on the system.

This piece of software includes multiple drivers that are prone to various sets of vulnerabilities


Description:

Epson iProjection v2.30 is a projection software provided by Epson. Version 2.30 includes multiple drivers, two of which, are prone to multiple vulnerabilities.

CVE-2020-9014

# Exploit Title: Epson iProjection v2.30 Driver EMP_MAU.sys Memory Corruption
# Date: 02/15/2020
# Exploit Author: FULLSHADE
# Vendor Homepage: https://epson.com
# Software Link: https://www.epson.eu/epson-projector-software
# Version: v.2.30
# Tested on: Windows 7 /  Windows 10
# CVE : CVE-2020-9453

Description:

EMP_MAU.sys is a Windows x86 Kernel Driver that allows unprivileged user’s unrestricted access while sending IOCTL’s to the associated device driver. While utilizing DeviceIoControl(), if the user provides a NULL entry for the dwIoControlCode parameter. It will result in a BSOD a.k.a Kernel-Panic. Via reverse-engineering the two drivers in IDA Pro, three IOCTLs were discovered in each driver in the Dispatch Function. All three IOCTLs are repeated in both EMP_MAU.sys and the second driver EMP_NSAU.sys, the three IOCTLs in question are, 0x9C402402, 0x9C402406, and 0x9C40240A.

  • The discovered IOCTL in question that triggers BSODs are as follows.
Address    | IOCTL Code | Device    | Function  | Method  |                    Access
0x1303B    | 0x9C402402 | <UNKNOWN>   0x9C40    | 0x900   | METHOD_OUT_DIRECT 2    | FILE_ANY_ACCESS (0)
0x13047    | 0x9C402406 | <UNKNOWN>   0x9C40    | 0x901   | METHOD_OUT_DIRECT 2    | FILE_ANY_ACCESS (0)
0x1304F    | 0x9C40240A | <UNKNOWN>   0x9C40    | 0x902   | METHOD_OUT_DIRECT 2    | FILE_ANY_ACCESS (0)

ioctls


CVE-2020-9014

The same three IOCTLs are found & the same vulnerable code is repeated in the second audio driver EMP_NSAU.sys.

# Exploit Title: Epsons iProjection v2.30 Driver EMP_NSAU.sys Memory Corruption
# Date: 02/15/2020
# Exploit Author: FULLSHADE
# Vendor Homepage: https://epson.com
# Software Link: https://www.epson.eu/epson-projector-software
# Version: v.2.30
# Tested on: Windows 7 /  Windows 10
# CVE : CVE-2020-9014

Disclosure Timeline

  • Fri, Feb 14, 2020: Initial vulnerability discovery
  • Fri, Feb 14, 2020: CVE request for EMP_MAU.sys was made
  • Sat, Feb 15, 2020: CVE request for EMP_NSAU.sys was made
  • Tue, Feb 18, 2020: Vendor contacted
  • Tue, Feb 18, 2020: Vendor escalates issue for support (Incident: 200218-002215)
  • Wed, Feb 19, 2020: Vendor requested more information
  • Mon, Mar 2, 2020: Vendor says they are working on it, update soon
  • Mon, Mar 10, 2020: Tried contacting vendor multiple times
  • Thr, Mar 20, 2020: Vendor gave March 31st as a patch date and thanked me

Publications

  • Vendor advisory :
  • NIST advisory :
  • MITRE ATT&CK publication : CVE-2020-9014
  • MITRE ATT&CK publication : CVE-2020-9453
  • Exploit-db publication :

Exploitation process

These vulnerabilities resulted in producing multiple DOS (BSOD) POCs, the vulnerabilities in question are most-likely including a Null Pointer Dereference via the IOCTL 0x9C402402, this following exploitation process will be focusing on this since it’s fairly similar to exploiting the Null Pointer Derefence vulnerabilities from HEVD.

Updated: