cbcvebase.
CVE-2018-5701
published 2018-01-31

CVE-2018-5701: In Iolo System Shield AntiVirus and AntiSpyware 5.0.0.136, the amp.sys driver file contains an Arbitrary Write vulnerability due to not validating input values…

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.45%
96.9th percentile
In Iolo System Shield AntiVirus and AntiSpyware 5.0.0.136, the amp.sys driver file contains an Arbitrary Write vulnerability due to not validating input values from IOCtl 0x00226003.

Affected

1 ranges
VendorProductVersion rangeFixed in
iolosystem_shield

Detection & IOCsextracted from sources · hover to see the quote

other0x00226003
filenameamp.sys
path\\.\amp
commandDeviceIoControl(hDevice, 0x00226003, inbuffer1, sizeof(inbuffer1), NULL, 0, &dwRetBytes, NULL);
commandNTSTATUS status = DeviceIoControl(deviceHandle, 0x226003, inputBuffer, inputBufferSize, NULL, NULL, (LPDWORD)&bytesReturned, (LPOVERLAPPED)NULL);
  • Monitor for processes opening a handle to the '\\.\ amp' or '\\.\AMP' device object — this is the attack surface exposed by the vulnerable amp.sys driver.
  • Alert on DeviceIoControl calls to IOCTL code 0x00226003 (or 0x226003) targeting the amp device; this is the specific control code exploited for the arbitrary write primitive.
  • Detect unexpected writes to HKLM\SYSTEM\CurrentControlSet\services\msiserver\ImagePath by non-SYSTEM/non-admin processes, which is the post-exploitation persistence step used by the exploit.
  • Flag execution of msiexec.exe with the '/i poc.msi /quiet' arguments spawned from a low-privileged process, indicating the exploit's privilege escalation trigger step.
  • Detect low-privileged processes calling SetNamedSecurityInfo to take ownership of HKLM\SYSTEM\CurrentControlSet\services\msiserver, a key indicator of the exploit's privilege escalation chain.
  • The exploit targets _SEP_TOKEN_PRIVILEGES at a fixed offset of 0x40 from the token address; kernel integrity monitoring for token privilege field modifications can detect this technique.
  • ·The original exploit (EDB-43929) was tested only on 64-bit Windows 7 and Windows 10 (1709); the _SEP_TOKEN_PRIVILEGES offset of 0x40 may differ on other OS versions, affecting exploit reliability.
  • ·At time of original disclosure (January 2018), no vendor fix was available — the vulnerability was 0day.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.