Full Disclosure mailing list archives
SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation
From: Maor Shwartz <maors () beyondsecurity com>
Date: Sun, 31 Dec 2017 08:08:09 +0200
SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation Full report: https://blogs.securiteam.com/index.php/archives/3597 Twitter: @SecuriTeam_SSD Weibo: SecuriTeam_SSD Vulnerability Summary The following advisory describes a kernel stack buffer overflow that leads to privilege escalation found in Kingsoft Antivirus/Internet Security 9+. Kingsoft Antivirus “provides effective and efficient protection solution at no cost to users. It applies cloud security technology to monitor, scan and protect your systems without any worrying. The comprehensive defender and anti-virus tools prevent and protect your computer from unwanted virus, worms, and Trojans. With the simplest and easiest-to-use functions, users find themselves no difficulty to handle Kingsoft Antivirus.” Credit An independent security researcher, Steven Seeley, has reported this vulnerabilities to Beyond Security’s SecuriTeam Secure Disclosure program Vendor response We tried to contact Kingsoft since October 8 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerability. Vulnerability details This vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver. The specific flaws exists within the processing of IOCTL 0x80030004 or 0x80030008 by either the kavfm.sys (anti-virus) or the KWatch3.sys (internet security) kernel driver. The driver doesn’t properly validate user-supplied data which can result in a kernel stack buffer overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel. === ; jumptable 000117C1 case 0 .text:000117C8 loc_117C8: ; CODE XREF: sub_11790+31 .text:000117C8 .text:000117C8 push ebx ; our input buffer size .text:000117C9 lea ecx, [esp+58h+var_40] ; this is a fixed size stack buffer of 0x40 .text:000117CD push edi ; our input buffer .text:000117CE push ecx ; char * .text:000117CF call strncpy ; stack buffer overflow .text:000117D4 add esp, 0Ch .text:000117D7 lea edx, [esp+54h+var_40] .text:000117DB push edx ; char * .text:000117DC mov [esp+ebx+58h+var_40], 0 .text:000117E1 call sub_167B0 .text:000117E6 pop edi .text:000117E7 mov esi, eax .text:000117E9 pop esi .text:000117EA pop ebp .text:000117EB pop ebx .text:000117EC add esp, 44h .text:000117EF retn 8 === -- Thanks Maor Shwartz Beyond Security GPG Key ID: 6D273779F52A9FC2
Attachment:
SSD Advisory – Kingsoft Antivirus_Internet Security 9+ Privilege Escalation.pdf
Description:
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation Maor Shwartz (Jan 01)