Published: 17/05/2021 Updated: 12/07/2022

CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 642

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook with IOCTL 0x80002044 and execute the executable memory using this hook with IOCTL 0x80002014 or 0x80002018, this exposes ring 0 code execution in the context of the driver allowing the non-privileged process to elevate privileges.

Vulnerable Product	Search on Vulmon	Subscribe to Product
malwarefox antimalware 2.74.0.150

A nim re-write of Terminator by ZeroMemoryEx

Ternimator A nim re-write of Terminator that allows for loading the driver via either service creation or NtLoadDriver api call The driver is embeded into the executable and will be dropped to disk The executable also embeds and drops kernel_execexe which exploits a different vuln in the zemana driver to elevate to SYSTEM (CVE-2021-31728) Build: nimble build

vulnerability in zam64.sys, zam32.sys allowing ring 0 code execution. CVE-2021-31727 and CVE-2021-31728 public reference.

CVE-2021-31727 and CVE-2021-31728 Public Reference for CVE-2021-31727 Exposes unrestricted disk read/write capabilities Public Reference for CVE-2021-31728 Exposes arbitrary ring 0 code execution directly

NVD-CWE-Other https://github.com/irql0/CVE-2021-31728/blob/master/CVE-2021-31728.md https://nvd.nist.gov https://github.com/nbaertsch/Ternimator

CVE-2021-31728

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect