SRC-2017-0029 : Kingsoft Antivirus and Internet Security Kernel Stack Buffer Overflow Privilege Escalation Vulnerability
Kingsoft Internet Security
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Kingsoft Internet Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaws exists within the processing of IOCTL 0x80030004 or 0x80030008 by either the kavfm.sys (anti-virus) or the KWatch3.sys (internet security) kernel driver. The driver doesn’t properly validate user-supplied data which can result in a kernel stack buffer overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel.
Kingsoft has not issued an update to correct these vulnerabilities.
- 2017-10-03 – Verified and acquired by Beyond Security
- 2017-12-31 – Uncoordinated public release of advisory
Proof of Concept:
This vulnerability was discovered by Steven Seeley of Source Incite
Source Incite would like to acknowledge Beyond Security's SSD program for the help with co-ordination of this vulnerability. More details can be found on their blog at https://blogs.securiteam.com/index.php/archives/3597.