Bit | Cogent Cis-202 Iris Scanner Driver Windows 7 32
Application (Biometric Service Provider) ↓ winbio.dll (Windows Biometric Framework - optional) ↓ cis202.dll (User-mode vendor library) ↓ DeviceIoControl() → [IOCTL calls] ↓ cis202.sys (Kernel-mode WDM driver) ↓ USB stack (usbhub.sys, usbccgp.sys) ↓ CIS-202 Hardware From binary analysis of cis202.sys (version 2.1.0.7):
[Cogent.NTx86] %DeviceDesc%=CIS202_Install, USB\VID_1D3C&PID_0202 cogent cis-202 iris scanner driver windows 7 32 bit
| CVE | Issue | Impact | |-----|-------|--------| | CVE-2019-1189 | Improper input validation in IOCTL 0x222000 | Local privilege escalation via buffer overflow in kernel pool | | CVE-2018-8213 | Driver allows arbitrary user-mode read of iris buffer | Information disclosure (iris template theft) | | No CVE (unpatched) | No IOMMU protection – DMA attacks possible if USB port accessible | Physical memory read/write | Application (Biometric Service Provider) ↓ winbio
// Pseudocode from decompiled cis202.sys NTSTATUS CaptureIrisImage(PDEVICE_EXTENSION dx, PUCHAR outBuffer, ULONG outLen) PURB urb = ExAllocatePool(NonPagedPool, sizeof(_URB_BULK_OR_INTERRUPT_TRANSFER)); urb->UrbBulkOrInterruptTransfer.TransferBufferLength = IRIS_RAW_SIZE; // 640*480 = 307200 bytes urb->UrbBulkOrInterruptTransfer.TransferBuffer = dx->IrisBuffer; // Non-paged pool urb->UrbBulkOrInterruptTransfer.TransferFlags = USBD_TRANSFER_DIRECTION_IN; IoCallDriver(dx->UsbDevice, urb); RtlCopyMemory(outBuffer, dx->IrisBuffer, outLen); ULONG outLen) PURB urb = ExAllocatePool(NonPagedPool
| IOCTL | Function | |-------|----------| | 0x222000 | Capture iris image (returns raw 8-bit grayscale) | | 0x222004 | Set LED brightness (parameter: 0-255) | | 0x222008 | Get device firmware version | | 0x22200C | Start video stream for focus assist | | 0x222010 | Stop video stream |
bcdedit /set loadoptions DISABLE_INTEGRITY_CHECKS bcdedit /set testsigning on The driver uses a single mapped buffer for DMA-less USB bulk transfers:
qemu-system-x86_32 -usb -device usb-host,vendorid=0x1d3c,productid=0x0202 \ -drive file=win7_x86.qcow2 -m 2048 Or use a via libusb and a custom userspace driver that responds to the IOCTLs with pre-captured iris images. 8. Modern Alternatives & Migration Path Given the obsolescence, a deep paper should conclude with pragmatic advice:
