SRC-2017-0029 : Kingsoft Antivirus and Internet Security Kernel Stack Buffer Overflow Privilege Escalation Vulnerability



CVSS Score:

6.9, (AV:L/AC:M/Au:N/C:C/I:C/A:C)

Affected Vendors:


Affected Products:

Kingsoft Internet Security

Vulnerability Details:

This vulnerability allows local attackers to escalate privileges on vulnerable installations of Kingsoft Internet Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaws exists within the processing of IOCTL 0x80030004 or 0x80030008 by either the kavfm.sys (anti-virus) or the KWatch3.sys (internet security) kernel driver. The driver doesn’t properly validate user-supplied data which can result in a kernel stack buffer overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel.

Vendor Response:

Kingsoft has not issued an update to correct these vulnerabilities.

Disclosure Timeline:

  • 2017-10-03 – Verified and acquired by Beyond Security
  • 2017-12-31 – Uncoordinated public release of advisory

Proof of Concept:



This vulnerability was discovered by Steven Seeley of Source Incite


Source Incite would like to acknowledge Beyond Security's SSD program for the help with co-ordination of this vulnerability. More details can be found on their blog at