Souhail Hammou

**Name of the Vulnerable Software and Affected Versions** Windows LUAFV (versões afetadas não especificadas) **Description** Uma condição de corrida do tipo time-of-check time-of-use (toctou) ocorre no Windows LUAFV. Isso permite que um invasor autorizado eleve privilégios localmente. Uma condição de corrida é uma situação em que o comportamento do sistema depende da sequência ou do tempo de eventos incontroláveis. **Recommendations** No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Applocker Filter Driver (applockerfltr.sys) (versões afetadas não especificadas) **Description** Uma condição de corrida ocorre no Applocker Filter Driver (applockerfltr.sys) devido à execução concorrente usando um recurso compartilhado com sincronização inadequada. Isso permite que um invasor autorizado eleve privilégios localmente. Uma condição de corrida é uma situação em que o comportamento substantivo do sistema depende da sequência ou do tempo de outros eventos incontroláveis. **Recommendations** No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** A flaw exists in Windows Performance Counters related to pointer dereferencing. Successful exploitation could allow an attacker to gain elevated privileges. The issue involves a null pointer dereference, potentially allowing a local attacker to elevate their privileges. Approximately an estimated number of potentially affected devices worldwide is not available. No real-world incidents have been reported. The vulnerability affects the `Performance Counters` component of the operating system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Nome do Software Vulnerável e Versões Afetadas** Versões do Windows (versões afetadas não especificadas) **Descrição** Existe uma condição de uso após a liberação no Driver de Função Auxiliar do Windows para WinSock, especificamente no arquivo `afd.sys`. Este problema permite que um atacante autorizado eleve privilégios localmente. A vulnerabilidade está relacionada à gestão de memória e ocorre quando a memória é acessada após ter sido liberada. A exploração deste problema pode permitir que um atacante afete o sistema. A pesquisa indica que a vulnerabilidade foi descoberta por meio da exploração dos internos de conclusão de E/S do Windows. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Comodo Antivirus version 12.0.0.6870 **Description** A use-after-free flaw in the sandbox container implemented in cmdguard.sys can be triggered due to a race condition when handling IRP MJ CLEANUP requests in the minifilter for directory change notifications. This allows an attacker to cause a denial of service (BSOD) when an executable is run inside the container. **Recommendations** For Comodo Antivirus version 12.0.0.6870, consider disabling the sandbox container feature until a patch is available to prevent potential denial of service attacks.

**Name of the Vulnerable Software and Affected Versions** Panda Antivirus versions prior to 18.07.03 Panda Antivirus Pro versions prior to 18.07.03 Panda Dome versions prior to 18.07.03 Panda Global Protection versions prior to 18.07.03 Panda Gold Protection versions prior to 18.07.03 Panda Internet Security versions prior to 18.07.03 **Description** The issue is related to insecure permissions in Panda products, specifically with the section object `GlobalPandaDevicesAgentSharedMemory` and the event `GlobalPandaDevicesAgentSharedMemoryChange`. This allows attackers to queue an event to the system service `AgentSvc.exe`, leading to privilege escalation when the `CmdLineExecute` event is queued. **Recommendations** For Panda Antivirus versions prior to 18.07.03, update to version 18.07.03 or later. For Panda Antivirus Pro versions prior to 18.07.03, update to version 18.07.03 or later. For Panda Dome versions prior to 18.07.03, update to version 18.07.03 or later. For Panda Global Protection versions prior to 18.07.03, update to version 18.07.03 or later. For Panda Gold Protection versions prior to 18.07.03, update to version 18.07.03 or later. For Panda Internet Security versions prior to 18.07.03, update to version 18.07.03 or later.

**Name of the Vulnerable Software and Affected Versions** Alps Pointing-device Driver version 10.1.101.207 **Description** An issue in the Alps Pointing-device Driver allows the current user to map and write to the `ApMsgFwd File Mapping Object` section. The `ApMsgFwd.exe` uses the data written to this section as arguments to functions, which can cause a denial of service condition when invalid pointers are written to the mapped section. This driver has been used with various devices, including Dell, ThinkPad, and VAIO. **Recommendations** For Alps Pointing-device Driver version 10.1.101.207, consider restricting access to the `ApMsgFwd File Mapping Object` section to prevent unauthorized writes. As a temporary workaround, avoid using the `ApMsgFwd.exe` until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Armadito version 0.12.7.2 **Description** An issue in the Armadito windows driver allows malware with filenames containing pure UTF-16 characters to bypass detection. The user-mode service fails to open the file for scanning after converting Unicode to ANSI, as characters that cannot be converted are replaced with '?' characters. **Recommendations** For Armadito version 0.12.7.2, consider implementing a workaround to handle filenames with UTF-16 characters properly, such as manually checking for malware in files that fail to open for scanning, until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MalwareFox AntiMalware version 2.74.0.150 **Description** The issue is related to improper access control in the zam32.sys and zam64.sys drivers, which allows a non-privileged process to elevate privileges. This can be achieved by sending specific IOCTL commands, such as `IOCTL 0x80002010` and `IOCTL 0x8000204C`, to the `.ZemanaAntiMalware` endpoint. There is also a mention of exploiting this issue using a VBA/Word document, but details are not provided. **Recommendations** For MalwareFox AntiMalware version 2.74.0.150, consider restricting access to the zam32.sys and zam64.sys drivers to prevent non-privileged processes from registering themselves and elevating privileges. Avoid using the `IOCTL 0x80002010` and `IOCTL 0x8000204C` commands to the `.ZemanaAntiMalware` endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** MalwareFox AntiMalware version 2.74.0.150 **Description** An issue was discovered that allows improper access control due to a vulnerability in the zam32.sys and zam64.sys drivers. A non-privileged process can exploit this by connecting to the filter communication port and then using IOCTL 0x8000204C to elevate privileges. **Recommendations** For MalwareFox AntiMalware version 2.74.0.150, consider restricting access to the zam32.sys and zam64.sys drivers as a temporary workaround until a patch is available. Avoid using IOCTL 0x8000204C in the `.ZemanaAntiMalware` endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Huawei UTPS version 1.0 **Description** A buffer overflow issue exists in the back-end component due to a long `IDS PLUGIN NAME` string in a plug-in configuration file, allowing local users to gain privileges. **Recommendations** For Huawei UTPS version 1.0, consider restricting access to the plug-in configuration file to prevent exploitation of the buffer overflow issue until a fix is available. As a temporary workaround, limit the length of the `IDS PLUGIN NAME` string in the plug-in configuration file to prevent buffer overflow.