A significant security vulnerability has been identified within K7 Ultimate Security antivirus software, posing a serious risk to Windows computer systems. This flaw, designated as CVE-2024-36424, permits low-privileged users to escalate their permissions to the SYSTEM level, granting them comprehensive control over affected devices.
How the Vulnerability Works
K7 Ultimate Security utilizes named pipes for communication between various components of the software. These named pipes serve as conduits that allow programs operating with limited permissions to request actions from higher-privileged programs.
According to research conducted by Quarkslab, the named pipe employed by K7, known as K7TSMngrService1, exhibits inadequate access controls. The issue arises from the manner in which K7 manages user settings. When administrators permit regular users to modify security settings, the software communicates through this named pipe.
Researchers uncovered that any process could dispatch specially crafted messages to manipulate the SYSTEM-level service into making unauthorized registry changes. An attacker with basic user access could exploit this vulnerability in two primary ways:
- By sending appropriate commands to the named pipe, a low-privileged user could disable antivirus protection entirely. This includes turning off real-time scanning or cloud protection, or even adding malware to the allowlist.
- Attackers could also achieve full privilege escalation via Image File Execution Options (IFEO). By deceiving the K7 service into modifying Windows registry keys that dictate how programs initiate, the attacker’s malicious code would execute with SYSTEM privileges during K7’s update process.
Patch Attempts and Bypasses
In response to this vulnerability, K7 Computing has released several patches aimed at rectifying the issue. The initial patch introduced caller validation to verify which programs were issuing commands. However, researchers managed to bypass this protection by injecting code into legitimate K7 processes through manual mapping.
A subsequent patch implemented process protection via the K7Sentry driver, yet this was circumvented by utilizing a different K7 executable not included on the protected list. The third patch expanded the protection list, but researchers found that any digitally signed K7 binary not explicitly listed could still serve as an attack vector. By simply renaming and relocating these binaries, the exploit was rendered effective once more.
This vulnerability impacts K7 Ultimate Security version 17.0.2045 and potentially earlier iterations. Organizations utilizing K7 antivirus are strongly advised to upgrade to the latest patched version without delay.
This incident highlights a critical lesson: antivirus software can inadvertently become an attack vector if security controls are improperly implemented. Security experts urge antivirus vendors to enforce stringent authentication measures for inter-process communication and to avoid relying solely on process name verification for security decisions. Additionally, users are encouraged to monitor their systems for any unusual registry changes or privilege escalations.
The disclosure of this vulnerability follows responsible reporting practices, allowing the vendor multiple opportunities to address the issue prior to its public announcement.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
