CVE-2018-15732

Vulnerability

STOPzilla AntiMalware version 6.5.2.59 includes the kernel driver szkg64.sys which exposes an IOCTL handler. The IOCTL 0x80002063 (and also 0x8000206F [2]) does not validate the output buffer address provided by the caller. This allows an attacker to write arbitrary data to an arbitrary kernel memory location, as the driver uses the supplied output buffer pointer without checking its validity [2].

Exploitation

An attacker must have local access to the system and the ability to open a handle to the device driver. By sending a crafted IOCTL 0x80002063 with a controlled output buffer address, the attacker can write a DWORD value to any kernel address. The written value increments with each call, enabling multiple writes to build a desired privilege set. The exploit described in [2] targets the _SEP_TOKEN_PRIVILEGES structure to enable the SeCreateTokenPrivilege privilege, then uses ZwCreateToken to obtain a full privileged token.

Impact

Successful exploitation allows an attacker to escalate privileges from a low-integrity process to SYSTEM. By gaining SeCreateTokenPrivilege, the attacker can create a token with arbitrary privileges, effectively achieving local privilege escalation and full control over the system.

Mitigation

As of the publication date (2019-06-21), no official patch or fixed version has been released by STOPzilla. The vendor did not respond to disclosure attempts [2]. Users are advised to uninstall or replace STOPzilla AntiMalware with an alternative security product. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.