Throttlestop WinRing0x64.sys vulnerability

[dimmitsaras]

Hi, to play Riot Games' shooter Valorant, the anticheat requires all of the drivers on the system to have no vulnerabilities. Apparently Throttlestop has a vulnerability on WinRing0x64.sys, so the anticheat prevents it from loading. Thus, throttlestop can't be used. Without it my laptop throttles and i get really bad frames on the game. Is there any fix for this being made? As far as I know the game is the least of my worries, as the vulnerability allows arbitrary code execution via the faulty driver.

 

[lagavulin]

Hey, just wanted to say I came here for the same reason. Hopefully we get a response from the devs!

 

[unclewebb]

Is there any fix for this being made?

No immediate plans for a fix. ThrottleStop is freeware. If you want to play Valorant or if you are worried about the security of your system, you will have to find an alternative.

 

[Regeneration]

Maybe you shouldn't play games that require 100% data security and can be accessed only by trolling on Twitch.

 

[Surwo]

I am here for the same reason. My game is unplayable without throttlestop!

 

[Regeneration]

Contact the developer:

Submit a request – VALORANT Support

support-valorant.riotgames.com

Ask them to whitelist Throttlestop and WinRing0 driver.

Tell them the game is unplayable for you without it.

 

[unclewebb]

The WinRing0 driver that ThrottleStop uses has had the memory read/write capabilities removed. That makes it impossible to use this driver to read or write any information into memory. There is no way to use this driver to cheat by adding an extra 100 or 1000 rounds of ammo or whatever. The way ThrottleStop opens and uses this driver has also been patched for improved security.

 

[pkzmbk]

The WinRing0 driver that ThrottleStop uses has had the memory read/write capabilities removed. That makes it impossible to use this driver to read or write any information into memory. There is no way to use this driver to cheat by adding an extra 100 or 1000 rounds of ammo or whatever. The way ThrottleStop opens and uses this driver has also been patched for improved security.

I appreciate that the program is freeware and there's no professional obligation to fix the software, but please don't spread misinformation. As anyone can verify by checking the digital signature, the WinRing0x64.sys driver has been unchanged since it was created in 2008 for CrystalDiskMark. It is vulnerable and allows for escalation into the Kernel. Exploitation is non-trivial but details exist on the web.

I can personally disassemble the very driver throttlestop ships with and see the vulnerable portion at 0x000111d9 (handling IOCTL 0x9C402088).

NVD - CVE-2019-7240

nvd.nist.gov

Note that cheat developers have been aware of the exploitable nature of the driver since before the CVE, though using a different method (IOCTL 0x9C406104) that only allows reading memory.

 

[unclewebb]

the WinRing0x64.sys driver has been unchanged since it was created in 2008

There have been multiple versions of the WinRing0 driver released. The memory read/write capabilities were removed from the later versions.

I can personally disassemble the very driver throttlestop ships with and see the vulnerable portion at 0x000111d9 (handling IOCTL 0x9C402088).

That is correct. ThrottleStop does use the WinRing0 driver and it does access the vulnerable Wrmsr command. That function does not allow memory access which is what anti-cheat software is trying to prevent.

I agree that the WinRing0 driver in the wrong hands has proven to be dangerous so it is up to Microsoft to block any software that tries to use or install WinRing0. Microsoft have known about this issue for years. Why have they not done anything? Riot Games decision to block the dangerous WinRing0 driver is a good thing. Maybe it will force Microsoft to finally deal with this issue.

The bigger problem is that over 3 million people have downloaded ThrottleStop from TechPowerUp alone. They depend on it so their over priced, under performing laptops are not quite so miserable. All of ThrottleStop's functionality could easily be built into the BIOS but OEMs like Dell, HP, Asus, etc. choose not to do this. This would allow safe access to these functions without having to use any third party software that depends on a dangerous driver to function.

The computer industry does not seem to understand that people have had to install ThrottleStop not because they want to but because they have to. For most users, having the WinRing0 driver installed on their computer is less of an issue compared to having an expensive gaming laptop that is completely unusable for anything more strenuous than surfing the net.

My game is unplayable without throttlestop!

 

[pkzmbk]

There have been multiple versions of the WinRing0 driver released. The memory read/write capabilities were removed from the later versions.

There have indeed been multiple versions... Ranging all the way to 2010. However the driver bundled with throttlestop hasn't been changed since 2008. Regardless of which capabilities were officially removed over a decade ago, all the modern vulnerabilities that are going around (including reading arbitrary memory and gaining kernel privileges) still apply.

The "date modified" field doesn't mean anything here, as it's just metadata and many tools change it without modifying the file. The driver's digital signature says the .sys file was signed in 2008. You can see that in the "Digital Signatures" tab.

I found an old copy of WinRing0x64.sys (with a date modified field of 2008) and compared its checksum to the one bundled with throttlestop just to demonstrate my point.

I don't think I'm necessarily disagreeing with you, but I very much want to make clear that the driver bundled with throttlestop is extremely old and can be used in cheats or malware to gain kernel privileges.