CVE-2017-17429

Vulnerability

The K7Sentry device driver in K7 Antivirus Premium before version 15.1.0.53 and other K7 security products does not properly authenticate IOCTL requests from user-mode processes. A local user with a LOW integrity process can send a specific IOCTL to the device, bypassing access controls. Affected products include K7 Anti-Virus Plus, K7 Anti-Virus Premium, K7 Internet Security, K7 Ultimate Security, K7 Total Security, K7 Total Security Plus, and K7 Endpoint Security [1].

Exploitation

An attacker with local access to the system can exploit this vulnerability without requiring administrative privileges. The attacker runs a low-integrity process that opens the K7Sentry device and sends a crafted IOCTL code. No user interaction or additional authentication is needed beyond being logged into the system.

Impact

Successful exploitation grants the attacker raw read/write access to the hard disk. This allows the attacker to read sensitive data, modify system files, or install persistent malware, effectively compromising the entire system. The attacker gains a level of access far exceeding their initial low-integrity privilege.

Mitigation

K7 Computing has released fixed versions for all affected products: K7 Anti-Virus Plus 15.1.0308, K7 Anti-Virus Premium 15.1.0314, K7 Internet Security 15.1.0297, K7 Ultimate Security 15.1.0324, K7 Total Security 15.1.0324, K7 Total Security Plus 16.0.0131, and K7 Endpoint 14.2.0137 [1]. Users should upgrade to these versions immediately. No workarounds are documented. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog.