CVE-2018-15738

Vulnerability

The kernel driver szkg64.sys in STOPzilla AntiMalware version 6.5.2.59 does not validate the output buffer address value provided to IOCTL 0x8000205F. This allows an attacker to write arbitrary data to an arbitrary kernel memory location. The vulnerability is reachable from user mode by any process that can open a handle to the driver device.

Exploitation

An attacker with local access and the ability to open a handle to the driver can send a crafted IOCTL 0x8000205F request specifying a controlled output buffer address. By repeatedly invoking the IOCTL, the attacker can overwrite kernel structures such as _SEP_TOKEN_PRIVILEGES to enable the SeCreateTokenPrivilege privilege [2]. This technique is demonstrated in public exploit code [2].

Impact

Successful exploitation grants the attacker the ability to create a new token with arbitrary privileges, leading to full SYSTEM-level code execution. The arbitrary write primitive can be used to elevate privileges from a low-integrity user to kernel-level control.

Mitigation

As of the publication date (2019-07-09), no official patch or workaround has been released by the vendor. The vulnerability remains unpatched; users are advised to discontinue use of STOPzilla AntiMalware or restrict access to the driver until a fix is available.