Vulnerability title: Privilege Escalation In K7 Computing Multiple Products [K7FWFilt.sys]
Vendor: K7 Computing
Product: Multiple Products [K7FWFilt.sys]
Affected version: Earlier and including 22.214.171.124
Fixed version: 126.96.36.199
Reported by: Kyriakos Economou
Latest, and possibly earlier versions of K7FWFilt.sys kernel mode driver, also named as the ‘K7Firewall Packet Driver’, suffers from a heap overflow condition that can be exploited locally by an attacker in order to execute code with kernel privileges. Successful exploitation of this bug results in vertical privilege escalation.
The function handling IOCTL 0x830020C4 does not validate the size of the output buffer parameter passed in the DeviceIoControl API, which leads to a heap overflow on buffer data initialization. In particular, the function assumes that the output buffer has a size of 0x22C4 bytes. By declaring a smaller buffer we are able to overwrite other data and kernel objects that might follow and potentially control the execution flow via a corrupted kernel object.
ba31cb06 8b7d14 mov edi,dword ptr [ebp+14h]
ba31cb09 ff7514 push dword ptr [ebp+14h]
ba31cb0c b9b1080000 mov ecx,8B1h
ba31cb11 33c0 xor eax,eax
ba31cb13 f3ab rep stos dword ptr es:[edi]