CVE-2018-15730

Vulnerability

The szkg64.sys kernel driver in STOPzilla AntiMalware version 6.5.2.59 fails to validate the output buffer address value supplied in IOCTL 0x80002067. The vulnerability is one of several discovered by GreyHatHacker in the product, all stemming from the driver not validating the output buffer address (or size in some cases) [1], [2]. This specific IOCTL leads to a denial of service condition when triggered [2].

Exploitation

To exploit this vulnerability, an attacker must have the ability to send a crafted IOCTL request to the affected driver. No authentication is required; any user-mode process that can interact with the STOPzilla driver can send the malicious IOCTL. The attacker sends an IOCTL code 0x80002067 with an invalid or arbitrary output buffer address [2]. The driver does not validate this address, causing a system crash (BSOD) [1].

Impact

A successful exploit results in a denial of service by crashing the Windows kernel (BSOD). The attacker achieves no code execution or privilege escalation; the impact is limited to system instability and forced reboot [2]. The crash is reliable and can be triggered repeatedly.

Mitigation

As of the publication date, the vendor STOPzilla has not responded to the disclosure made in November 2018 [2]. No official fix or updated version is available. Users are advised to disable or remove STOPzilla AntiMalware 6.5.2.59 until a patched version is released [1], [2]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.