CVE-2018-6606

Vulnerability

MalwareFox AntiMalware version 2.74.0.150 contains a vulnerability in the kernel drivers zam32.sys and zam64.sys. The driver does not verify whether the requesting process is already registered when handling IOCTL 0x80002010, which is used to register a process by its PID as trusted. This allows any process, regardless of privilege level, to register itself and gain elevated access to sensitive IOCTLs such as 0x8000204C sent to \\.\ZemanaAntiMalware. The flaw is documented in the exploit code [1] which details the missing authorization check at driver entry point offsets.

Exploitation

An attacker requires local access to the system with any user-level process (non-privileged). No additional authentication or user interaction is needed beyond executing a program. The attacker sends IOCTL 0x80002010 to the driver handle to register their own process ID as trusted. Afterwards, they can send IOCTL 0x8000204C to perform privileged operations, such as enabling/disabling real-time protection, writing to raw disk, or opening full-access handles to other processes [1].

Impact

Successful exploitation results in arbitrary privilege escalation from a non-privileged process to the kernel level. The attacker can execute arbitrary code with SYSTEM privileges, fully compromising the confidentiality, integrity, and availability of the affected system. The impact includes the ability to disable security features, access sensitive data, and install persistent malware [1].

Mitigation

As of the publication date (February 2018), no official patch or fixed version was released. Users are advised to update to a newer version of MalwareFox AntiMalware if available, or to remove the product if continued use introduces unacceptable risk. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last known update. No workaround is documented in the provided references [1].