IKARUS anti.virus and its 9 exploitable kernel vulnerabilities

Paul.R

Level 17
Thread author
Verified
Well-known
May 16, 2013
844
Here is a list of the 9 kernel vulnerabilities I discovered over a month ago in an antivirus product called IKARUS anti.virus which has finally been fixed. Most of the vulnerabilities were due to the inputted output buffer address (Irp->UserBuffer) being saved on the stack which is later used without being validated when using as an argument. The table below lists the ioctls, related CVE and type of vulnerability:

IOCTLCVE IDVulnerability Type
0x8300000cCVE-2017-14961Arbitrary Write
0x83000058CVE-2017-14962Out of Bounds Write
0x83000058CVE-2017-14963Arbitrary Write
0x8300005cCVE-2017-14964Arbitrary Write
0x830000ccCVE-2017-14965Arbitrary Write
0x830000c0CVE-2017-14966Arbitrary Write
0x83000080CVE-2017-14967Arbitrary Write
0x830000c4CVE-2017-14968Arbitrary Write
0x83000084CVE-2017-14969Arbitrary Write
 

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759
Last edited:

notabot

Level 15
Verified
Oct 31, 2018
703
this is why we should avoid security tools that offer no bug bounty+dont have many users.
Bitdefender(Bitdefender’s bug bounty program | Bugcrowd)
Kaspersky(Kaspersky Lab - Bug Bounty Program | HackerOne)
Avast(The Avast bug bounty program)
windows defender(Microsoft Bounty Programs | MSRC)
F-Secure(Vulnerability Reward Program | F-Secure Labs)
360(360 Security Response Center)
they all have great bug bounty plus a lot of user(more users better)

Agreed

I remember I had this discussion a couple of months ago here with another forum member and I mentioned explicitly the AV attack surface and the pluses of scrutinized products which get frequent updates. The counter argument I read was essentially security by obscurity and even explicitly to use Ikarus...
 

notabot

Level 15
Verified
Oct 31, 2018
703
There is a certain logic to that, as long as you are not subjected to targeted attacks.

Still I don’t see why one should increase their attack surface with a product whose own security is not scrutinized. And it’s not just targeted attacks, any remote vulnerability can be added to a metasploit-like tool on a just in case the user has this installed basis.
 
  • Like
Reactions: RXZ6Q

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top