Recently, a security researcher posted a tweet on the
According to reports, attackers can use these vulnerabilities to escalate privileges from ordinary user rights to the highest SYSTEM privileges, bypass KASLR (Kernel Address Space Layout Randomization) protection, steal kernel credentials, and even modify the kernel callback table to hide malicious behavior.
Since the drivers involved all have official EV or WHQL signatures, attackers can directly load malicious payloads without installing additional software on the target device, and the threshold for attack is extremely low.
Among them, Kingsoft Antivirus' kdhacker64_ev.sys driver has obvious buffer allocation defects.
When the driver processes user input, the allocated buffer size is only half of the actual required size, causing 1160 bytes of data to be written into only 584 bytes of space, directly causing a 512-byte kernel pool overflow.
It is worth noting that the driver holds a valid EV signature, which means that an attacker can use this vulnerability to easily bypass system security checks and achieve complete control of the device.
The vulnerability of 360 Security Guard is reflected in the DsArk64.sys driver.
This driver allows the 4-byte process ID to be passed in through the IOCTL interface, and directly calls the ZwTerminateProcess function at the Ring 0 level, which can forcefully terminate any process and even bypass the PPL (Protected Process) mechanism, posing a threat to the core process of the system.
Not only that, the driver's kernel read and write function uses the AES-128-CBC encryption algorithm, but its decryption key is hard-coded in the .data section of the binary file, and all versions use the same key, which greatly reduces the difficulty for attackers to crack.
Currently, these two high-risk vulnerabilities have been submitted to the LOLDrivers database.
