Zemana amsdk.sys Kernel Driver Arbitrary Code Injection Vulnerability (CVE-2022-42045)

Vulnerability Key Information Vulnerability Overview CVE-2022-42045 Summary: Type: Arbitrary Code Injection Vulnerability Location: kernel-mode driver, part of Zemana AntiMalware SDK Impact: Allows injection of arbitrary code into one section of the driver code and execution with kernel-mode privileges, leading to local privilege escalation (from administrator to kernel mode) Potential Risk: Disable driver signature enforcement, then install unsigned kernel-mode drivers Details Vulnerable Function Location: Offset in the section Calling Function Location: Offset in the section Parameters: 1. Target Address: Address of a function in the section with RWX permissions, pointing to the function at offset 2. Source Address: Source buffer address of user-controlled code 3. Integer Value: 128 4. Address of a function in , called immediately after the code in parameter 2 is executed. Before calling the code in parameter 2, the value of this parameter is increased by the code length (parameter 2 length minus 1). This length is calculated by a lightweight disassembler embedded in the driver. After executing the code in parameter 2, control is transferred to Related IOCTL Calls: - IOCTL calls the function at offset , allowing arbitrary user-controlled code to fill the stub in the section - IOCTL (via SCSI read) or IOCTL (via SCSI write) transfers control to the filled stub Affected Products Antivirus Software: Watchdog Anti-Malware 4.1.422, Zemana AntiMalware 3.2.28 — both use the same vulnerable driver but with different signing certificates Logger: Zemana AntiLogger v2.74.2.664 — vulnerable drivers: , Affected Operating Systems Windows Versions: 64-bit versions of Windows, from Windows 7 to Windows 11 Mitigation Recommendation: Uninstall Zemana or Watchdog antivirus products, and add driver signing to the blacklist Appendix A partially captured CMD screenshot from the webpage shows an error message when attempting to start the driver, indicating failure due to unsigned digital signature verification. This demonstrates one defensive measure: driver signing blacklist policy.

Goal Reached Thanks to every supporter — we hit 100%!

Zemana amsdk.sys Kernel Driver Arbitrary Code Injection Vulnerability (CVE-2022-42045)

More from this source