CVE-2018-5701
published 2018-01-31CVE-2018-5701: In Iolo System Shield AntiVirus and AntiSpyware 5.0.0.136, the amp.sys driver file contains an Arbitrary Write vulnerability due to not validating input values…
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.45%
96.9th percentile
In Iolo System Shield AntiVirus and AntiSpyware 5.0.0.136, the amp.sys driver file contains an Arbitrary Write vulnerability due to not validating input values from IOCtl 0x00226003.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| iolo | system_shield | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandDeviceIoControl(hDevice, 0x00226003, inbuffer1, sizeof(inbuffer1), NULL, 0, &dwRetBytes, NULL);↗
commandNTSTATUS status = DeviceIoControl(deviceHandle, 0x226003, inputBuffer, inputBufferSize, NULL, NULL, (LPDWORD)&bytesReturned, (LPOVERLAPPED)NULL);↗
- →Monitor for processes opening a handle to the '\\.\ amp' or '\\.\AMP' device object — this is the attack surface exposed by the vulnerable amp.sys driver. ↗
- →Alert on DeviceIoControl calls to IOCTL code 0x00226003 (or 0x226003) targeting the amp device; this is the specific control code exploited for the arbitrary write primitive. ↗
- →Detect unexpected writes to HKLM\SYSTEM\CurrentControlSet\services\msiserver\ImagePath by non-SYSTEM/non-admin processes, which is the post-exploitation persistence step used by the exploit. ↗
- →Flag execution of msiexec.exe with the '/i poc.msi /quiet' arguments spawned from a low-privileged process, indicating the exploit's privilege escalation trigger step. ↗
- →Detect low-privileged processes calling SetNamedSecurityInfo to take ownership of HKLM\SYSTEM\CurrentControlSet\services\msiserver, a key indicator of the exploit's privilege escalation chain. ↗
- →The exploit targets _SEP_TOKEN_PRIVILEGES at a fixed offset of 0x40 from the token address; kernel integrity monitoring for token privilege field modifications can detect this technique. ↗
- ·The original exploit (EDB-43929) was tested only on 64-bit Windows 7 and Windows 10 (1709); the _SEP_TOKEN_PRIVILEGES offset of 0x40 may differ on other OS versions, affecting exploit reliability. ↗
- ·At time of original disclosure (January 2018), no vendor fix was available — the vulnerability was 0day. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
System Mechanic v15.5.0.61 - Arbitrary Read/Write
exploitdb·2023-03-25·CVSS 9.8
CVE-2018-5701 [CRITICAL] System Mechanic v15.5.0.61 - Arbitrary Read/Write
System Mechanic v15.5.0.61 - Arbitrary Read/Write
---
/*
# Exploit Title: System Mechanic v15.5.0.61 - Arbitrary Read/Write
# Date: 26-09-2022
# Exploit Author: Brandon Marshall
# Vendor Homepage: https://www.iolo.com/
# Tested Version - System Mechanic version 15.5.0.61
# Driver Version - 5.4.11 - amp.sys
# Tested on OS - 64 bit Windows 10 (18362)
# Fixed Version - System Mechanic 17.5.0.116
# CVE : CVE-2018-5701
*/
#include
#include
#include
#include
#pragma warning(disable:4996)
typedef struct _kernelDriverInformation {
char* imageName;
void* imageBase;
}kernelDriverInformation, * PKernelDriverInformation;
typedef struct _functionInformation {
char* functionName;
void* functionOffset;
void* functionBase;
}functionInformation, * PFunctionInformation;
void callDeviceIoControl(HAND
Exploit-DB
System Shield 5.0.0.136 - Privilege Escalation
exploitdb·2018-01-30·CVSS 9.8
CVE-2018-5701 [CRITICAL] System Shield 5.0.0.136 - Privilege Escalation
System Shield 5.0.0.136 - Privilege Escalation
---
/*
Exploit Title - System Shield AntiVirus & AntiSpyware Arbitrary Write Privilege Escalation
Date - 29th January 2018
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://www.iolo.com/
Tested Version - 5.0.0.136
Driver Version - 5.4.11.1 - amp.sys
Tested on OS - 64bit Windows 7 and Windows 10 (1709)
CVE ID - CVE-2018-5701
Vendor fix url -
Fixed Version - 0day
Fixed driver ver - 0day
Check blogpost for details:
https://www.greyhathacker.net/?p=1006
*/
#include
#include
#include
#pragma comment(lib,"advapi32.lib")
#define MSIEXECKEY "MACHINE\\SYSTEM\\CurrentControlSet\\services\\msiserver"
#define SystemHandleInformation 16
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
typedef unsigned __int64 QWORD
No writeups or analysis indexed.
http://packetstormsecurity.com/files/146165/System-Shield-5.0.0.136-Privilege-Escalation.htmlhttps://www.exploit-db.com/exploits/43929/https://www.greyhathacker.net/?p=1006http://packetstormsecurity.com/files/146165/System-Shield-5.0.0.136-Privilege-Escalation.htmlhttps://www.exploit-db.com/exploits/43929/https://www.greyhathacker.net/?p=1006
2018-01-31
Published