CVE-2018-15735

Vulnerability

The STOPzilla AntiMalware driver szkg64.sys version 6.5.2.59 contains an arbitrary write vulnerability. The driver fails to validate the output buffer address value when processing IOCTL 0x8000205F (as per the researcher's disclosure [2]), allowing a local attacker to write arbitrary data to kernel memory. The official CVE description lists IOCTL 0x8000206F, but the researcher's table assigns this CVE to 0x8000205F [2].

Exploitation

An attacker must have local access to the system and the ability to send IOCTL requests to the driver. No authentication is required beyond user-mode access. By crafting a specially crafted IOCTL call with a controlled output buffer address, the attacker can overwrite arbitrary kernel memory locations. The researcher demonstrated exploitation by overwriting the _SEP_TOKEN_PRIVILEGES structure to gain SeCreateTokenPrivilege and then creating a privileged token [2].

Impact

Successful exploitation allows an attacker to escalate privileges from a low-integrity user to SYSTEM, gaining full control over the system. The arbitrary write can be used to modify kernel objects, leading to complete compromise of confidentiality, integrity, and availability.

Mitigation

As of the publication date (2019-06-21), no official patch has been released by STOPzilla. The vendor did not respond to the researcher's disclosure [2]. Users should consider removing or replacing STOPzilla AntiMalware with an actively maintained security product. No workaround is available.