Sophia Windsor
[ Gearbest Technology News]Recently, security researchers disclosed that there are high-risk vulnerabilities in the kernel drivers of Kingsoft Antivirus and 360 Security Guard. By exploiting these vulnerabilities, an attacker could gain complete control over the target device.
360 Security Guard
According to reports, attackers can use these vulnerabilities to escalate privileges from ordinary user privileges to the highest privileges, bypass kernel address space layout randomization protection, steal kernel credentials, and even modify the kernel callback table to hide malicious behavior. Since the drivers involved have official signatures, attackers can directly load malicious payloads without installing additional software on the target device, and the threshold for attack is low.
Among them, the kdhacker64_ev.sys driver of Kingsoft Antivirus has a buffer allocation defect. When the driver processes user input, the allocated buffer size is only half of the actual required size, causing 1160 bytes of data to be written into only 584 bytes of space, causing a kernel pool overflow. The driver holds a valid EV signature, and an attacker can use this vulnerability to bypass system security checks.
The vulnerability of 360 Security Guard is reflected in the DsArk64.sys driver. This driver allows the process ID to be passed in through a specific interface and forcibly terminates any process at the kernel level. It can even bypass the protected process mechanism and threaten the core processes of the system. In addition, the driver's kernel read and write function uses an encryption algorithm, but its decryption key is hard-coded in the file, and all versions use the same key, which reduces the difficulty for attackers to crack.
Currently, these two high-risk vulnerabilities have been submitted to relevant vulnerability databases.
Login with Google