Bkav Home v7816 - Kernel Memory Leak

Summary


Name	Bkav Home v7816, build 2403161130 - Kernel Memory Leak
Code name	Kent
Product	Bkav Home
Vendor	Bkav Corporation
Affected versions	Version 7816, build 2403161130
State	Public
Release date	2024-04-22

Vulnerability


Kind	Kernel Memory Leak
Rule	037. Technical Information Leak
Remote	No
CVSSv3 Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSSv3 Base Score	5.5
Exploit available	Yes
CVE ID(s)	CVE-2024-2760

Description

Bkav Home v7816, build 2403161130 is vulnerable to a Memory Information Leak vulnerability by triggering the 0x222240 IOCTL code of the BkavSDFlt.sys driver.

Vulnerability

The 0x222240 IOCTL code of the BkavSDFlt.sys driver allows to leak the kernel address of an global variable which has always the same offset from the base module, making the kASLR protection useless on that module.

The handling code of the 0x222240 IOCTL calls sub_1400010D8 which copies the absolute address of a global variable into the output buffer of the IRP object.

__int64 __fastcall sub_1400010D8(PIRP pIrp, __int64 a2, __int64 *a3) { unsigned int v3; // r9d __int64 v4; // rax v3 = 0; v4 = 0i64; if ( *(_DWORD *)(a2 + 0x10) < 8u ) { v3 = 0xC0000023; } else { *(_QWORD *)pIrp->AssociatedIrp.SystemBuffer = &qword_140004230;
    v4 = 8i64;
  }
  *a3 = v4;
  return v3;
}

The PoC will dump the absolute address of such global variable:

PS C:\Users\admin\Desktop> .\IOCTLBruteForce.exe BkavSdFlt 0x222240
[+] 0x222240: (I & O) Bytes sent: 8 (0x8)
[+] 0x222240: Bytes returned: 8 (0x8)
[+] Output (0): FFFFF80044434230