CVE Security Posts

The information provided in these advisories are without any warranty

About CVE-2018-15499:
GEARAspiWDM.sys, version 2.2.5.0 (and possibly lower versions aswell), is vulnerable to a race condition that allows an attack to cause a DoS with low OS privileges. Using IOCTL 0x222004 the driver makes multiple unchecked fetches into userland at a specified address.
Security Risk Level:
CVSS (v3.0) = 6.7 Medium (personal estimation)
Possible Solution(s) / Fixe(s):
Add ProbeForRead/ProbeForWrite checks and use METHOD_BUFFERED for IO.
Exploit Code / Vulnerable Software Source(s): Github PoC Link
Contacting GEAR software failed.

About CVE-2018-16711:
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send an IOCTL (0x9C402088) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for input.
Security Risk Level:
CVSS (v3.0) = 5.9 Medium (personal estimation)
Possible Solution(s) / Fixe(s):
Prevent wrmsr from being accessed in from user mode, or limit model specific register values that can be edited.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-16712:
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send a specially crafted IOCTL 0x9C406104 to read physical memory.
Security Risk Level:
CVSS (v3.0) = 4.6 Medium (personal estimation)
Possible Solution(s) / Fixe(s):
Prevent MmMapIoSpace from being accessed in from user mode, or limit the address range which can be read.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-16713:
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send an IOCTL (0x9C402084) with a buffer containing user defined content. The driver's subroutine will execute a rdmsr instruction with the user's buffer for input, and provide output from the instruction.
Security Risk Level:
CVSS (v3.0) = 3.2 Low (personal estimation)
Possible Solution(s) / Fixe(s):
Prevent rdmsr from being accessed in from user mode.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-18026:
Advanced Malware Fighter (version 6.2, and possibly lower) contains IMFCameraProtect.sys which is vulnerable to a stack overflow attack when IOCTL 0x8018E000 is sent via DeviceIoControl with a user defined size. Return addresses in the stack can be overwritten and allow for code execution or a DoS.
Security Risk Level:
CVSS (v3.0) = 7.2 High (personal estimation)
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-18714:
IOBit Advanced Malware Fighter (version 6.2, and possibly lower) contains RegFilter.sys which is vulnerable to a stack overflow attack when IOCTL 0x8006E010 is sent via DeviceIoControl with a user defined size. Return addresses in the stack can be overwritten and allow for code execution or a DoS.
Security Risk Level:
CVSS (v3.0) = 7.2 High (personal estimation)
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19084:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E05C with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High (personal estimation)
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19085:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E048 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High (personal estimation)
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19086:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E040 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High (personal estimation)
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19087:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E044 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High (personal estimation)
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2018-19522:
DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL (0x800020F4) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for partial input.
Security Risk Level:
CVSS (v3.0) = 6.7 High (personal estimation)
Possible Solution(s) / Fixe(s):
Prevent wrmsr from being accessed in from user mode.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting DriverAgent failed.

About CVE-2018-19523:
DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL (0x80002068) with a user defined buffer size. If the size of the buffer is less than 512 bytes, then a bad memset call will overwrite the next pool header if there is one adjacent to the user's buffer pool.
Security Risk Level:
CVSS (v3.0) = 6.7 High (personal estimation)
Possible Solution(s) / Fixe(s):
Use dynamic size value in memset. Consider minimum values, as well as maximum.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting DriverAgent failed.

About CVE-2018-20404:
ETK_E900.sys, a SmartETK driver for VIA Technologies EPIA-E900 system board, is vulnerable to denial of service attack via IOCTL 0x9C402048, which calls memmove and constantly fails on an arbitrary (uncontrollable) address, resulting in an eternal hang or a BSoD.
Security Risk Level:
CVSS (v3.0) = 6.7 Medium (personal estimation)
Possible Solution(s) / Fixe(s):
Check before calling memmove.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Unable to get past VIA Technologies support page.

About CVE-2019-6492:
SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC4 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.
Security Risk Level:
CVSS (v3.0) = 3.0 Low (personal estimation)
Possible Solution(s) / Fixe(s):
Free any kerenl pools before functions finish.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2019-6493:
SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC0 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.
Security Risk Level:
CVSS (v3.0) = 3.0 Low (personal estimation)
Possible Solution(s) / Fixe(s):
Free any kerenl pools before functions finish.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.

About CVE-2019-6494:
IMFForceDelete.sys in IObit Malware Fighter 6.2 allows a low privileged user to send IOCTL 0x8016E000 along with a user defined string to a file which will be promptly deleted regardless of access controls.
Security Risk Level:
CVSS (v3.0) = 6.3 Medium (personal estimation)
Possible Solution(s) / Fixe(s):
Don't allow users to specify any file.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.