CVE Security Posts

The information provided in these advisories are without any warranty

About CVE-2018-15499:
GEARAspiWDM.sys, version 2.2.5.0 (and possibly lower versions as well), is vulnerable to a race condition that allows an attack to cause a DoS with low OS privileges. Using IOCTL 0x222004 the driver makes multiple unchecked fetches into userland at a specified address.
Security Risk Level:
CVSS (v3.0) = 6.7 Medium
Possible Solution(s) / Fixe(s):
Add ProbeForRead/ProbeForWrite checks and use METHOD_BUFFERED for IO.
Exploit Code / Vulnerable Software Source(s): Github PoC Link
Contacting GEAR software failed.

About CVE-2018-16711:
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send an IOCTL (0x9C402088) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for input.
Security Risk Level:
CVSS (v3.0) = 5.9 Medium
Possible Solution(s) / Fixe(s):
Prevent wrmsr from being accessed in from user mode, or limit model specific register values that can be edited.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-16712:
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send a specially crafted IOCTL 0x9C406104 to read physical memory.
Security Risk Level:
CVSS (v3.0) = 4.6 Medium
Possible Solution(s) / Fixe(s):
Prevent MmMapIoSpace from being accessed in from user mode, or limit the address range which can be read.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-16713:
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send an IOCTL (0x9C402084) with a buffer containing user defined content. The driver's subroutine will execute a rdmsr instruction with the user's buffer for input, and provide output from the instruction.
Security Risk Level:
CVSS (v3.0) = 3.2 Low
Possible Solution(s) / Fixe(s):
Prevent rdmsr from being accessed in from user mode.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-18026:
Advanced Malware Fighter (version 6.2, and possibly lower) contains IMFCameraProtect.sys which is vulnerable to a stack overflow attack when IOCTL 0x8018E000 is sent via DeviceIoControl with a user defined size. Return addresses in the stack can be overwritten and allow for code execution or a DoS.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-18714:
IOBit Advanced Malware Fighter (version 6.2, and possibly lower) contains RegFilter.sys which is vulnerable to a stack overflow attack when IOCTL 0x8006E010 is sent via DeviceIoControl with a user defined size. Return addresses in the stack can be overwritten and allow for code execution or a DoS.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19084:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E05C with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19085:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E048 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19086:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E040 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19087:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E044 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19522:
DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL (0x800020F4) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for partial input.
Security Risk Level:
CVSS (v3.0) = 6.7 High
Possible Solution(s) / Fixe(s):
Prevent wrmsr from being accessed in from user mode.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting DriverAgent failed.

About CVE-2018-19523:
DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL (0x80002068) with a user defined buffer size. If the size of the buffer is less than 512 bytes, then a bad memset call will overwrite the next pool header if there is one adjacent to the user's buffer pool.
Security Risk Level:
CVSS (v3.0) = 6.7 High
Possible Solution(s) / Fixe(s):
Use dynamic size value in memset. Consider minimum values, as well as maximum.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting DriverAgent failed.

About CVE-2018-20404:
ETK_E900.sys, a SmartETK driver for VIA Technologies EPIA-E900 system board, is vulnerable to denial of service attack via IOCTL 0x9C402048, which calls memmove and constantly fails on an arbitrary (uncontrollable) address, resulting in an eternal hang or a BSoD.
Security Risk Level:
CVSS (v3.0) = 6.7 Medium
Possible Solution(s) / Fixe(s):
Check before calling memmove.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Unable to get past VIA Technologies support page.

About CVE-2019-6492:
SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC4 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.
Security Risk Level:
CVSS (v3.0) = 3.0 Low
Possible Solution(s) / Fixe(s):
Free any kerenl pools before functions finish.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2019-6493:
SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC0 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.
Security Risk Level:
CVSS (v3.0) = 3.0 Low
Possible Solution(s) / Fixe(s):
Free any kerenl pools before functions finish.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2019-6494:
IMFForceDelete.sys in IObit Malware Fighter 6.2 allows a low privileged user to send IOCTL 0x8016E000 along with a user defined string to a file which will be promptly deleted regardless of access controls.
Security Risk Level:
CVSS (v3.0) = 6.3 Medium
Possible Solution(s) / Fixe(s):
Don't allow users to specify any file.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2019-11867:
Coming Soon.
Security Risk Level:
CVSS (v3.0) = N/A
Possible Solution(s) / Fixe(s):
N/A
Exploit Code / Vulnerable Software Source(s) [Private] :
N/A

About CVE-2019-11868:
See.sys, up to version 4.25, in SoftEther VPN Server, versions 4.29 or older, allows a user to call an IOCTL specifying any kernel address to which arbitrary bytes are written to.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use ProbeForRead and ProbeForWrite to validate addresses.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Worked with a developer of SoftEther to fix the issue and current versions are no longer affected.

About CVE-2019-6165:
AdminService.exe, included in the driver installer package for Qualcomm Atheros QCA61x4 devices, versions 10.0.10011.16384 (unconfirmed) or older, allows an unprivileged user to specify normally restricted registry keys to create or delete.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Do not read input files containing sensitive configuration information from low privileged write locations.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Reported to Qualcomm's PSIRT and coordinated public disclosure. Unknown if newer versions are still affected.

About CVE-2019-10617:
PLHotkeyService.exe, versions 1.2.0.8 or older, runs as a system service and is vulnerable to a DLL hijacking attack which results in privilege escalation.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Do not run system service programs from low privileged writable locations. Use strict DLL paths.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Reported to Lenovo's PSIRT and coordinated public disclosure. Product is being phased out. No patch released.