Twister Antivirus v8.17 - Out-of-bounds Read


NameTwister Antivirus v8.17 - Out-of-bounds Read
Code nameFitzgerald
ProductTwister Antivirus
Affected versionsVersion 8.17
Release date2024-02-06


KindOut-of-bounds Read
Rule111. Out-of-bounds Read
CVSSv3 Base Score5.8
Exploit availableYes
CVE ID(s)CVE-2024-1140


Twister Antivirus v8.17 is vulnerable to an Out-of-bounds Read vulnerability by triggering the 0x801120B8 IOCTL code of the filmfd.sys driver.


The 0x801120B8 IOCTL code of the filmfd.sys driver driver allows to perform a Out-of-bounds read of a page which is allocated next to the vulnerable buffer. When issuing a 0x801120B8 IOCTL request with NULL lpInBuffer and a short lpOutBuffer, the out-of-bounds read occur at filmfd+0xf3f8 when trying to dereference 0x420 bytes from the lpOutBuffer buffer which is controlled by the user. This leads to a Denial of Service if the dereferenced address contains invalid memory. If the attacker can control the allocation of objects adjacent to the vulnerable buffer, this may be upgraded to a more powerful primitive.

The resulting debugging session is the following:

0: kd> bp filmfd+0xf3f8 ".printf \"rax = 0x%p\", @rax; .echo; dps rax+420 L1; .echo; gc" 0: kd> g
rax = 0xffffa28408942640
ffffa284`08942a60  00000000`00000000

rax = 0xffffa2840be6ed00
ffffa284`0be6f120  00000000`00000000

rax = 0xffffa28407da4a40
ffffa284`07da4e60  00000000`00000000

rax = 0xffffa28407ea0d00
ffffa284`07ea1120  ffffa284`0b948158

rax = 0xffffa2840b941d00
ffffa284`0b942120  ????????`????????

KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x00000050

Driver at fault:
***    filmfd.sys - Address FFFFF800696BF3F8 base at FFFFF800696B0000, DateStamp 5166646c
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.

Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arg1: ffffd40cdd345220, memory referenced.
Arg2: 0000000000000000, X64: bit 0 set if the fault was due to a not-present PTE.
    bit 1 is set if the fault was due to a write, clear if a read.
    bit 3 is set if the processor decided the fault was due to a corrupted PTE.
    bit 4 is set if the fault was due to attempted execute of a no-execute PTE.
    - ARM64: bit 1 is set if the fault was due to a write, clear if a read.
    bit 3 is set if the fault was due to attempted execute of a no-execute PTE.
Arg3: ffffd40cdd344e10, If non-zero, the instruction address which referenced the bad memory
Arg4: 0000000000000002, (reserved)

rax=ffffd40cdd344e00 rbx=0000000000000000 rcx=fffff800712d0000
rdx=ffffd40cdd344e00 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800712df3f8 rsp=ffffee096cc226c0 rbp=0000000000000002
 r8=ffffd40cdd344e10  r9=ffffd40cd9b0ba70 r10=fffff800712dfdd0
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
fffff800`712df3f8 8b8020040000    mov     eax,dword ptr [rax+420h] ds:ffffd40c`dd345220=????????
Resetting default scope

Our security policy

We have reserved the ID CVE-2024-1140 to refer to this issue from now on.

System Information

  • Version: Twister Antivirus v8.17
  • Operating System: Windows


There is currently no patch available for this vulnerability.


The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.


Vendor page

Product page




Vulnerability discovered.



Vendor contacted.



Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.