Realtek HD Audio Driver DLL Hijacking

By Warren Domingo on February 14, 2020

Introduction

Realtek HD audio driver is a popular audio management driver for Windows systems. It provides high quality surround sound with other functions like a digital to analog converter (DAC). Realtek audio is one of the top audio drivers available to consumers. It is also present on all Windows computers with a Realtek sound card.

The vulnerability, tracked by CVE-2019-19705, occurs because of a couple flaws in the background process RAVBg64.exe. This process is a Microsoft Foundation Class (MFC) application allowing for data only dynamic-link libraries (DLL) to be called. When the HD audio background process starts, it loads several DLLs with system privileges. However, these libraries, RAVBg64ENU.dll and RAVBg64LOC.dll, do not exist. A malicious attack can copy arbitrary DLLs to the file path with these names, assuming you have administrator privileges, where they will then be executed with system privileges.

Vulnerability

The first cause to this vulnerability occurs because there is no digital signature validation performed on the loaded DLLs. This allowed for the loading of arbitrary, unsigned DLLs.

The second issue deals with the way the DLLs are loaded. The program calls the two DLLs as a regular DLL instead of using the flag LOAD_LIBRARY_AS_IMAGE_RESOURCE which would not execute the DLL. However, MFC applications only call localized DLLs, meaning that it will only load a DLL as a resource only DLL. However, when SafeBreach was working on their proof of concept, they used Detect it Easy to determine what complier Realtek used. The results showed that Realtek used Visual Studio 2005 to compile the binary. Back in 2005, Visual Studio loaded localized DLLs as regular DLLs with code.

Impact

The RAVBg64.exe process will call the two DLLs every time it is loaded. For this reason, one of the largest impacts that an attacker will be able to achieve is persistence. Once the DLL is replaced with the malicious library, the code will be executed every time the service is loaded on the system. Since the process runs with system permissions, there is also privilege escalation that is achievable with this attack.

Mitigation

According to Realtek, they have released an update to their audio driver package. As of version 8857, the issues regarding this vulnerability has been fixed. It is important to make sure all computer drivers are up to date. Just because they run in the background doesn’t mean they should be forgotten. To prevent this attack from happening or other similar attacks in the future, it is important not to work in an account with administrator privileges. This just makes it easier for attackers to compromise your system. Additionally, random or sketchy programs should not be downloaded from the internet because it could execute code and copy unwanted files into places they should not be.

Relevance

With Realtek as one of the most popular audio drivers available and many motherboards having built in on-board sound, it is likely that Realtek audio drivers will be installed on a computer. Dell is one manufacturer that uses Realtek in many of their devices that support onboard audio. Dell laptops will often automatically install these drivers. Fortunately, if automatic updates are turned on, Windows 10 also automatically installs the latest drivers for different processes to ensure the system runs properly. However, the automatic install of this driver could have been a huge problem if this vulnerability was exploited in the wild before it was patched.

References

[1] SafeBreach, “Realtek HD Audio Driver Package – DLL Preloading and Potential Abuses (CVE-2019-19705)”, February 14, 2020. https://safebreach.com/Post/Realtek-HD-Audio-Driver-Package-DLL-Preloading-and-Potential-Abuses-CVE-2019-19705

[2] SecurityWeek, “DLL Hijacking Vulnerability Found in Realtek HD Audio Driver”, February 6. 2020. https://www.securityweek.com/dll-hijacking-vulnerability-found-realtek-hd-audio-driver

[3] TheWindowsClub, “How to use Realtek HD Audio Manager to boost up your PC Sound”, July 12. 2016. https://www.thewindowsclub.com/realtek-hd-audio-manager