CVE Security Posts

The discoveries listed here are provided without any warranty












About CVE-2018-15499:
GEARAspiWDM.sys, version 2.2.5.0 (and possibly lower versions as well), is vulnerable to a race condition that allows an attack to cause a DoS with low OS privileges. Using IOCTL 0x222004 the driver makes multiple unchecked fetches into userland at a specified address.
Security Risk Level:
CVSS (v3.0) = 6.7 Medium
Possible Solution(s) / Fixe(s):
Add ProbeForRead/ProbeForWrite checks and use METHOD_BUFFERED for IO.
Exploit Code / Vulnerable Software Source(s): Github PoC Link
Contacting GEAR software failed.
 

About CVE-2018-16711:
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send an IOCTL (0x9C402088) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for input.
Security Risk Level:
CVSS (v3.0) = 5.9 Medium
Possible Solution(s) / Fixe(s):
Prevent wrmsr from being accessed in from user mode, or limit model specific register values that can be edited.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-16712:
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send a specially crafted IOCTL 0x9C406104 to read physical memory.
Security Risk Level:
CVSS (v3.0) = 4.6 Medium
Possible Solution(s) / Fixe(s):
Prevent MmMapIoSpace from being accessed in from user mode, or limit the address range which can be read.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-16713:
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send an IOCTL (0x9C402084) with a buffer containing user defined content. The driver's subroutine will execute a rdmsr instruction with the user's buffer for input, and provide output from the instruction.
Security Risk Level:
CVSS (v3.0) = 3.2 Low
Possible Solution(s) / Fixe(s):
Prevent rdmsr from being accessed in from user mode.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-18026:
IObit Advanced Malware Fighter (version 6.2, and possibly lower) contains IMFCameraProtect.sys which is vulnerable to a stack overflow attack when IOCTL 0x8018E000 is sent via DeviceIoControl with a user defined size. Return addresses in the stack can be overwritten and allow for code execution or a DoS.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-18714:
IOBit Advanced Malware Fighter (version 6.2, and possibly lower) contains RegFilter.sys which is vulnerable to a stack overflow attack when IOCTL 0x8006E010 is sent via DeviceIoControl with a user defined size. Return addresses in the stack can be overwritten and allow for code execution or a DoS.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19084:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E05C with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19085:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E048 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19086:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E040 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19087:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E044 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19522:
DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL (0x800020F4) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for partial input.
Security Risk Level:
CVSS (v3.0) = 6.7 High
Possible Solution(s) / Fixe(s):
Prevent wrmsr from being accessed in from user mode.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting DriverAgent failed.

About CVE-2018-19523:
DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL (0x80002068) with a user defined buffer size. If the size of the buffer is less than 512 bytes, then a bad memset call will overwrite the next pool header if there is one adjacent to the user's buffer pool.
Security Risk Level:
CVSS (v3.0) = 6.7 High
Possible Solution(s) / Fixe(s):
Use dynamic size value in memset. Consider minimum values, as well as maximum.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting DriverAgent failed.

About CVE-2018-20404:
ETK_E900.sys version 1.0.0.33, a SmartETK driver for VIA Technologies EPIA-E900 system board, is vulnerable to denial of service attack via IOCTL 0x9C402048, which calls memmove and constantly fails on an arbitrary (uncontrollable) address, resulting in an eternal hang or a BSoD.
Security Risk Level:
CVSS (v3.0) = 6.7 Medium
Possible Solution(s) / Fixe(s):
Check before calling memmove.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Unable to get past VIA Technologies support page.

About CVE-2019-6492:
SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC4 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.
Security Risk Level:
CVSS (v3.0) = 3.0 Low
Possible Solution(s) / Fixe(s):
Free any kerenl pools before functions finish.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2019-6493:
SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC0 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.
Security Risk Level:
CVSS (v3.0) = 3.0 Low
Possible Solution(s) / Fixe(s):
Free any kerenl pools before functions finish.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2019-6494:
IMFForceDelete.sys in IObit Malware Fighter 6.2 allows a low privileged user to send IOCTL 0x8016E000 along with a user defined string to a file which will be promptly deleted regardless of access controls.
Security Risk Level:
CVSS (v3.0) = 6.3 Medium
Possible Solution(s) / Fixe(s):
Don't allow users to specify any file.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2019-11867:
Realtek NDIS driver rt640x64.sys, file version 10.1.505.2015, fails to do any size checking on an input buffer from user space, which the driver assumes has a size greater than zero bytes.
Security Risk Level:
CVSS (v3.0) = 3.0 Low
Possible Solution(s) / Fixe(s):
Always remember that pointers can be null.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Failed to contact Realtek.

About CVE-2019-11868:
See.sys, up to version 4.25, in SoftEther VPN Server, versions 4.29 or older, allows a user to call an IOCTL specifying any kernel address to which arbitrary bytes are written to.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use ProbeForRead and ProbeForWrite to validate addresses.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Worked with a developer of SoftEther to fix the issue and current versions are no longer affected.

About CVE-2019-6165:
AdminService.exe, included in the driver installer package for Qualcomm Atheros QCA61x4 devices, versions 10.0.10011.16384 or older, allows an unprivileged user to specify normally restricted registry keys to create or delete.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Do not read input files containing sensitive configuration information from low privileged write locations.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Reported to Qualcomm's PSIRT and coordinated public disclosure. Unknown if newer versions are still affected.

About CVE-2019-10617:
PLHotkeyService.exe, versions 1.2.0.8 or older, runs as a system service and is vulnerable to a DLL hijacking attack which results in privilege escalation.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Do not run system service programs from low privileged writable locations. Use strict DLL paths.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Reported to Lenovo's PSIRT and coordinated public disclosure. Product is being phased out. No patch released.

About CVE-2019-8007:
Adobe's armsvc.exe, versions 1.824.31.1644 or older, runs as a system service and can be manipulated to delete arbitrary files regardless of access controls.
Security Risk Level:
CVSS (v3.0) = 3.8 Low
Possible Solution(s) / Fixe(s):
Be careful when high privilege programs interact with low privilege writable locations.
Exploit Code / Vulnerable Software Source(s) [Private] :
Github PoC Link
Reported to Adobes's PSIRT and coordinated public disclosure. Product was patched in APSB19-41.

About CVE-2020-8508:
Norman Malware Cleaner, versions 2.08.08 and possibly others, load nsak64.sys which unprivileged users to call arbitrary kernel functions.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Be careful when passing function pointers between user and kernel mode.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Norman Safeground AS is no longer in business, and therefore the product is no longer supported.