{"id":995,"date":"2017-11-13T16:51:33","date_gmt":"2017-11-13T15:51:33","guid":{"rendered":"http:\/\/www.greyhathacker.net\/?p=995"},"modified":"2022-04-12T12:25:53","modified_gmt":"2022-04-12T11:25:53","slug":"ikarus-anti-virus-and-its-9-exploitable-kernel-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.greyhathacker.net\/?p=995","title":{"rendered":"IKARUS anti.virus and its 9 exploitable kernel vulnerabilities"},"content":{"rendered":"

Here is a list of the 9 kernel vulnerabilities I discovered over a month ago in an antivirus product called IKARUS anti.virus which has finally been fixed. Most of the vulnerabilities were due to the inputted output buffer address (Irp->UserBuffer) being saved on the stack which is later used without being validated when using as an argument. The table below lists the ioctls, related CVE and type of vulnerability<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
IOCTL<\/strong><\/td>\nCVE ID<\/strong><\/td>\nVulnerability Type<\/strong><\/td>\n<\/tr>\n
0x8300000c<\/td>\nCVE-2017-14961<\/td>\nArbitrary Write<\/td>\n<\/tr>\n
0x83000058<\/td>\nCVE-2017-14962<\/td>\nOut of Bounds Write<\/td>\n<\/tr>\n
0x83000058<\/td>\nCVE-2017-14963<\/td>\nArbitrary Write<\/td>\n<\/tr>\n
0x8300005c<\/td>\nCVE-2017-14964<\/td>\nArbitrary Write<\/td>\n<\/tr>\n
0x830000cc<\/td>\nCVE-2017-14965<\/td>\nArbitrary Write<\/td>\n<\/tr>\n
0x830000c0<\/td>\nCVE-2017-14966<\/td>\nArbitrary Write<\/td>\n<\/tr>\n
0x83000080<\/td>\nCVE-2017-14967<\/td>\nArbitrary Write<\/td>\n<\/tr>\n
0x830000c4<\/td>\nCVE-2017-14968<\/td>\nArbitrary Write<\/td>\n<\/tr>\n
0x83000084<\/td>\nCVE-2017-14969<\/td>\nArbitrary Write<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Fixed version numbers (vendors advisory<\/a> soon to be released<\/del>)<\/p>\n\n\n\n\n\n\n
<\/td>\nVulnerable version<\/strong><\/td>\nFixed version<\/strong><\/td>\n<\/tr>\n
Software<\/td>\n2.16.7<\/td>\n2.16.18<\/td>\n<\/tr>\n
ntguard.sys<\/td>\n0.18780.0.0<\/td>\n0.43.0.0<\/td>\n<\/tr>\n
ntguard_x64.sys<\/td>\n0.18780.0.0<\/td>\n0.43.0.0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

I’m exploiting the vulnerable subroutine used by ioctl 0x8300000c by overwriting the _SEP_TOKEN_PRIVILEGES structure where arg_20 is our inputted output buffer address.<\/p>\n

<\/p>\n

In our process _SEP_TOKEN_PRIVILEGES structure I’m overwriting a byte in the “Present” field and a byte in the “Enabled” field with the hardcoded value of 0x11 by calling the vulnerable subroutine twice.<\/p>\n

DeviceIoControl(hDevice, 0x8300000c, NULL, 0, (LPVOID)PresentByteOffset, 0, &dwRetBytes, NULL);\r\nDeviceIoControl(hDevice, 0x8300000c, NULL, 0, (LPVOID)EnableByteOffset, 0, &dwRetBytes, NULL);<\/pre>\n
<\/p>\n
The exploit can be downloaded from here [zip<\/a>] (pass “ghh”) or from Exploit-DB when it gets published.<\/p>\n
@ParvezGHH<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Here is a list of the 9 kernel vulnerabilities I discovered over a month ago in an antivirus product called IKARUS anti.virus which has finally been fixed. Most of the vulnerabilities were due to the inputted output buffer address (Irp->UserBuffer) being saved on the stack which is later used without being validated when using as […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,8,7,6],"tags":[21,46],"class_list":["post-995","post","type-post","status-publish","format-standard","hentry","category-all","category-bugs","category-exploits","category-vulnerabilities","tag-elevate","tag-kernel"],"_links":{"self":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/995","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=995"}],"version-history":[{"count":7,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/995\/revisions"}],"predecessor-version":[{"id":1111,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/995\/revisions\/1111"}],"wp:attachment":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=995"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}