Bkav Home v7816 - Kernel Memory Leak

5.5

Medium

Discovered by 

Andres Roldan

Offensive Team, Fluid Attacks

Summary

Full name

Bkav Home v7816, build 2403161130 - Kernel Memory Leak

Code name

State

Public

Release date

Apr 22, 2024

Affected product

Bkav Home

Vendor

Bkav Corporation

Affected version(s)

Version 7816, build 2403161130

Vulnerability name

Kernel Memory Leak

Remotely exploitable

No

CVSS v3.0 vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v3.0 base score

5.5

Exploit available

Yes

CVE ID(s)

Description

Bkav Home v7816, build 2403161130 is vulnerable to a Memory Information Leak vulnerability by triggering the 0x222240 IOCTL code of the BkavSDFlt.sys driver.

Vulnerability

The 0x222240 IOCTL code of the BkavSDFlt.sys driver allows to leak the kernel address of an global variable which has always the same offset from the base module, making the kASLR protection useless on that module.

The handling code of the 0x222240 IOCTL calls sub_1400010D8 which copies the absolute address of a global variable into the output buffer of the IRP object.

__int64 __fastcall sub_1400010D8(PIRP pIrp, __int64 a2, __int64 *a3)
{
 unsigned int v3; // r9d
 __int64 v4; // rax

 v3 = 0;
 v4 = 0i64;
 if ( *(_DWORD *)(a2 + 0x10) < 8u )
 {
 v3 = 0xC0000023;
 }
 else
 {
 *(_QWORD *)pIrp->AssociatedIrp.SystemBuffer = &qword_140004230;
    v4 = 8i64;
  }
  *a3 = v4;
  return v3

The PoC will dump the absolute address of such global variable:

PS C:\Users\admin\Desktop> .\IOCTLBruteForce.exe BkavSdFlt 0x222240
[+] 0x222240: (I & O) Bytes sent: 8 (0x8)
[+] 0x222240: Bytes returned: 8 (0x8)
[+]

Our security policy

We have reserved the ID CVE-2024-2760 to refer to this issue from now on.

Disclosure policy

System Information

  • Version: Bkav Home v7816, build 2403161130

  • Operating System: Windows

Mitigation

There is currently no patch available for this vulnerability.

References

Timeline

Vulnerability discovered

Mar 21, 2024

Vendor contacted

Mar 21, 2024

Public disclosure

Apr 22, 2024

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.

SOC 2 Type II

SOC 3

Subscribe to our newsletter

Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.

© 2025 Fluid Attacks. We hack your software.

Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.

SOC 2 Type II

SOC 3

Subscribe to our newsletter

Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.

© 2025 Fluid Attacks. We hack your software.

Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.

SOC 2 Type II

SOC 3

Subscribe to our newsletter

Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.

© 2025 Fluid Attacks. We hack your software.