[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation

SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation

Full report: https://blogs.securiteam.com/index.php/archives/3597
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerability Summary
The following advisory describes a kernel stack buffer overflow that leads
to privilege escalation found in Kingsoft Antivirus/Internet Security 9+.

Kingsoft Antivirus “provides effective and efficient protection solution at
no cost to users. It applies cloud security technology to monitor, scan and
protect your systems without any worrying. The comprehensive defender and
anti-virus tools prevent and protect your computer from unwanted virus,
worms, and Trojans. With the simplest and easiest-to-use functions, users
find themselves no difficulty to handle Kingsoft Antivirus.”

An independent security researcher, Steven Seeley, has reported this
vulnerabilities to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
We tried to contact Kingsoft since October 8 2017, repeated attempts to
establish contact went unanswered. At this time there is no solution or
workaround for these vulnerability.

Vulnerability details
This vulnerability allows local attackers to escalate privileges on
vulnerable installations of Jungo WinDriver.

The specific flaws exists within the processing of IOCTL 0x80030004 or
0x80030008 by either the kavfm.sys (anti-virus) or the KWatch3.sys
(internet security) kernel driver.

The driver doesn’t properly validate user-supplied data which can result in
a kernel stack buffer overflow.

An attacker can leverage this vulnerability to execute arbitrary code under
the context of kernel.


; jumptable 000117C1 case 0

.text:000117C8 loc_117C8:                                      ; CODE XREF:


.text:000117C8                 push    ebx                     ; our input
buffer size

.text:000117C9                 lea     ecx, [esp+58h+var_40]   ; this is a
fixed size stack buffer of 0x40

.text:000117CD                 push    edi                     ; our input

.text:000117CE                 push    ecx                     ; char *

.text:000117CF                 call    strncpy                 ; stack
buffer overflow

.text:000117D4                 add     esp, 0Ch

.text:000117D7                 lea     edx, [esp+54h+var_40]

.text:000117DB                 push    edx                     ; char *

.text:000117DC                 mov     [esp+ebx+58h+var_40], 0

.text:000117E1                 call    sub_167B0

.text:000117E6                 pop     edi

.text:000117E7                 mov     esi, eax

.text:000117E9                 pop     esi

.text:000117EA                 pop     ebp

.text:000117EB                 pop     ebx

.text:000117EC                 add     esp, 44h

.text:000117EF                 retn    8


Maor Shwartz
Beyond Security
GPG Key ID: 6D273779F52A9FC2

Attachment: SSD Advisory – Kingsoft Antivirus_Internet Security 9+ Privilege Escalation.pdf
Description: Adobe PDF document

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/