CVE Security Posts

The discoveries listed here are provided without any warranty


About CVE-2020-9540 | Sophos HitmanPro.Alert's 3.7.12 service insecure downloads:
HitmanPro.Alert, versions 3.7.12 and earlier, download files over http as a normal user, then are run as SYSTEM. The connection is proxyable.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use HTTPS or download via the privileged process which would not allow normal users to proxy.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Reported to Sophos's bug bounty and coordinated public disclosure. Future releases are patched.


About CVE-2020-8508 | Norman Malware Cleaner's v2.08.08 nsak64.sys arbitrary address calls:
Norman Malware Cleaner, versions 2.08.08 and possibly others, load nsak64.sys which unprivileged users can abuse to call arbitrary kernel functions.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Be careful when passing function pointers between user and kernel mode.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Norman Safeground AS is no longer in business, and therefore the product is no longer supported.


About CVE-2019-0142 | Intel's Ethernet 700 Series Controller software's Ilp60x64.sys arbitrary write:
Intel's software for their 700 series ethernet controllers utilizes Ilp60x64.sys, which before package version 24.0, allowed the user to write arbitrary data to kernel mode addresses.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Be careful when dereferencing addresses. Compare with MmHighestUserAddress or use probing APIs.
Exploit Code / Vulnerable Software Source(s) [Public] :
Github PoC Link
Reported to Intel's bug bounty and coordinated public disclosure. Product was patched in INTEL-SA-00255.


About CVE-2019-8007 | Adobe's armsvc.exe v1.824.31.1644 arbitrary file deletion:
Adobe's armsvc.exe, versions 1.824.31.1644 or older, runs as a system service and can be manipulated to delete arbitrary files regardless of access controls.
Security Risk Level:
CVSS (v3.0) = 3.8 Low
Possible Solution(s) / Fixe(s):
Be careful when high privilege programs interact with low privilege writable locations.
Exploit Code / Vulnerable Software Source(s) [Private] :
Github PoC Link
Reported to Adobes's PSIRT and coordinated public disclosure. Product was patched in APSB19-41.


About CVE-2019-6165 | Lenovo's PLHotkeyService.exe v1.2.0.8 DLL hijacking:
PLHotkeyService.exe, versions 1.2.0.8 or older, runs as a system service and is vulnerable to a DLL hijacking attack which results in privilege escalation.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Do not run system service programs from low privileged writable locations. Use strict DLL paths.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Reported to Lenovo's PSIRT and coordinated public disclosure. Product is being phased out. No patch released.


About CVE-2019-10617 | Qualcomm Atheros QCA61x4 devices v10.0.10011.16384 AdminService.exe arbitrary registry edits
AdminService.exe, included in the driver installer package for Qualcomm Atheros QCA61x4 devices, versions 10.0.10011.16384 or older, allows an unprivileged user to specify normally restricted registry keys to create or delete.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Do not read input files containing sensitive configuration information from low privileged write locations.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Reported to Qualcomm's PSIRT and coordinated public disclosure. Unknown if newer versions are still affected.


About CVE-2019-11868 | SoftEther VPN Server's See.sys v4.25 arbitrary write:
See.sys, up to version 4.25, in SoftEther VPN Server, versions 4.29 or older, allows a user to call an IOCTL specifying any kernel address to which arbitrary bytes are written to.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use ProbeForRead and ProbeForWrite to validate addresses.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Worked with a developer of SoftEther to fix the issue and current versions are no longer affected.


About CVE-2019-11867 | Realtek NDIS driver rt640x64.sys v10.1.505.2015 null address denial of service:
Realtek NDIS driver rt640x64.sys, file version 10.1.505.2015, fails to do any size checking on an input buffer from user space, which the driver assumes has a size greater than zero bytes.
Security Risk Level:
CVSS (v3.0) = 3.0 Low
Possible Solution(s) / Fixe(s):
Always remember that pointers can be null.
Exploit Code / Vulnerable Software Source(s) [In Stockpile] :
Github PoC Link
Failed to contact Realtek.


About CVE-2019-6494 | IObit Malware Fighter's v6.2 IMFForceDelete.sys arbitrary file deletion:
IMFForceDelete.sys in IObit Malware Fighter 6.2 allows a low privileged user to send IOCTL 0x8016E000 along with a user defined string to a file which will be promptly deleted regardless of access controls.
Security Risk Level:
CVSS (v3.0) = 6.3 Medium
Possible Solution(s) / Fixe(s):
Don't allow users to specify any file.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.


About CVE-2019-6493 | IObit Smart Defrag 6's SmartDefragDriver.sys v2.0 executable kernel pool leak:
SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC0 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.
Security Risk Level:
CVSS (v3.0) = 3.0 Low
Possible Solution(s) / Fixe(s):
Free any kerenl pools before functions finish.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.


About CVE-2019-6492 | IObit Smart Defrag 6's SmartDefragDriver.sys v2.0 executable kernel pool leak:
SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC4 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.
Security Risk Level:
CVSS (v3.0) = 3.0 Low
Possible Solution(s) / Fixe(s):
Free any kerenl pools before functions finish.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.


About CVE-2018-20404 | VIA Technologies' SmartETK ETK_E900.sys v1.0.0.33 uncontrollable memmove denial of service:
ETK_E900.sys version 1.0.0.33, a SmartETK driver for VIA Technologies EPIA-E900 system board, is vulnerable to denial of service attack via IOCTL 0x9C402048, which calls memmove and constantly fails on an arbitrary (uncontrollable) address, resulting in an eternal hang or a BSoD.
Security Risk Level:
CVSS (v3.0) = 6.7 Medium
Possible Solution(s) / Fixe(s):
Check before calling memmove.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Unable to get past VIA Technologies support page.


About CVE-2018-19523 | DriverAgent's DrvAgent64.sys v1.0.0.1 pool corruption denial of service:
DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL (0x80002068) with a user defined buffer size. If the size of the buffer is less than 512 bytes, then a bad memset call will overwrite the next pool header if there is one adjacent to the user's buffer pool.
Security Risk Level:
CVSS (v3.0) = 6.7 High
Possible Solution(s) / Fixe(s):
Use dynamic size value in memset. Consider minimum values, as well as maximum.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting DriverAgent failed.


About CVE-2018-19522 | DriverAgent's DrvAgent64.sys v1.0.0.1 arbitrary WRMSR:
DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL (0x800020F4) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for partial input.
Security Risk Level:
CVSS (v3.0) = 6.7 High
Possible Solution(s) / Fixe(s):
Prevent wrmsr from being accessed in from user mode.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting DriverAgent failed.


About CVE-2018-19087 | IObit Advanced Malware Fighter's v6.2 RegFilter.sys stack overflow:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E044 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.


About CVE-2018-19086 | IObit Advanced Malware Fighter's v6.2 RegFilter.sys stack overflow:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E040 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.


About CVE-2018-19085 | IObit Advanced Malware Fighter's v6.2 RegFilter.sys stack overflow:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E048 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.


About CVE-2018-19084 | IObit Advanced Malware Fighter's v6.2 RegFilter.sys stack overflow:
RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E05C with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s) [In Stockpile]:
Github PoC Link
Contacting IOBit Software failed.


About CVE-2018-18714 | IObit Advanced Malware Fighter's v6.2 RegFilter.sys stack overflow:
IOBit Advanced Malware Fighter (version 6.2, and possibly lower) contains RegFilter.sys which is vulnerable to a stack overflow attack when IOCTL 0x8006E010 is sent via DeviceIoControl with a user defined size. Return addresses in the stack can be overwritten and allow for code execution or a DoS.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.


About CVE-2018-18026 | IObit Advanced Malware Fighter's v6.2 IMFCameraProtect.sys stack overflow :
IObit Advanced Malware Fighter (version 6.2, and possibly lower) contains IMFCameraProtect.sys which is vulnerable to a stack overflow attack when IOCTL 0x8018E000 is sent via DeviceIoControl with a user defined size. Return addresses in the stack can be overwritten and allow for code execution or a DoS.
Security Risk Level:
CVSS (v3.0) = 7.2 High
Possible Solution(s) / Fixe(s):
Use a fixed size for memory movement functions.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.


About CVE-2018-16713 | IObit Advanced SystemCare's Monitor_win10_x64.sys v1.2.0.5 arbitrary RDMSR:
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send an IOCTL (0x9C402084) with a buffer containing user defined content. The driver's subroutine will execute a rdmsr instruction with the user's buffer for input, and provide output from the instruction.
Security Risk Level:
CVSS (v3.0) = 3.2 Low
Possible Solution(s) / Fixe(s):
Prevent rdmsr from being accessed in from user mode.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.


About CVE-2018-16712 | IObit Advanced SystemCare's Monitor_win10_x64.sys v1.2.0.5 arbitrary physical memory read:
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send a specially crafted IOCTL 0x9C406104 to read physical memory.
Security Risk Level:
CVSS (v3.0) = 4.6 Medium
Possible Solution(s) / Fixe(s):
Prevent MmMapIoSpace from being accessed in from user mode, or limit the address range which can be read.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.


About CVE-2018-16711 | IObit Advanced SystemCare's Monitor_win10_x64.sys v1.2.0.5 arbitrary WRMSR:
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send an IOCTL (0x9C402088) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for input.
Security Risk Level:
CVSS (v3.0) = 5.9 Medium
Possible Solution(s) / Fixe(s):
Prevent wrmsr from being accessed in from user mode, or limit model specific register values that can be edited.
Exploit Code / Vulnerable Software Source(s):
Github PoC Link
Contacting IOBit Software failed.


About CVE-2018-15499 | GEAR Software's GEARAspiWDM.sys v2.2.5.0 race condition denial of service:
GEARAspiWDM.sys, version 2.2.5.0 (and possibly lower versions as well), is vulnerable to a race condition that allows an attack to cause a DoS with low OS privileges. Using IOCTL 0x222004 the driver makes multiple unchecked fetches into userland at a specified address.
Security Risk Level:
CVSS (v3.0) = 6.7 Medium
Possible Solution(s) / Fixe(s):
Add ProbeForRead/ProbeForWrite checks and use METHOD_BUFFERED for IO.
Exploit Code / Vulnerable Software Source(s): Github PoC Link
Contacting GEAR software failed.