Interested in x86 Reverse Engineering and Vulnerability Research.

(0-Day) Kyrol Internet Security (2015) - Multiple Vulnerability

19 Nov 2019 » security, vulnerability


Kyrol Internet Security (2015) is an Antivirus product made in Malaysia. The product basically cover most of the basic Antivirus features including a scanning engine, database update and few more other stuff. In this writeup, I will reveal few security issue found in the product:

- Insecure (Transport Protocol) Log Upload Policies leads to Information Disclosure
- Insecure Folder Permission that leads to Elevation of Privilege (Arbitrary File Write / Creation)
- APC Injection

Technical Analysis

First issue, Kyrol Internet Security log upload policies uses insecure transport protocol by sending information in plaintext. It is found that the global update is transmit via plaintext. Attacker could setup MITM or create a fake server and tap into information send in the traffic. Furher analysis, there is no checking on uploading information to its centralized server.

Sets to localhost ( on port 4000: Screenshot broadcast

Using Python to run a simple server and capture traffic sent by the AV: Screenshot broadcast

Second issue, an insecure folder permission that leads to Elevation of Privilege (EoP) in KIS quarantine folder found to lacked of Discretionary Access Control List (DACL). This making the quarantine folder allow to perform malicious activity e.g. Malware can be written on that location and run from the same path, create junction to SYSTEM folder and write files into SYSTEM folder via arbitrary write file.

Permission sets in the folder allows us perform write: Screenshot broadcast

Creating the junction to SYSTEM folder, by the time AV detecting a malware, it will create the file in the junction which means create a file in the SYSTEM controllable by user. The other way can do is to create a fake file based on quarantine filename and drop in SYSTEM folder. If it uses old Windows 10, they can leverage Diaghub to load the file created. Screenshot broadcast

Third issue is a process tampering of its own process. KIS found to failed to protect its own process. In this case, I used Asynchronous Procedure Call (APC) injection technique to tamper the process of the main program. An Asynchronous Procedure Call is basically a function/code that is set to execute (asynchronously) within the context of a specified thread. Example of APC implementation:

while (Thread32Next(hSnapshot, &te32))
		if (te32.th32OwnerProcessID == pid)
			printf("[+] Found thread in target process\r\n");
			HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
			tid = te32.th32ThreadID;
			if (!hThread)
				printf("[-] Couldn't open thread:  0x%Ix, trying next one...\r\n", (SIZE_T)hThread);
			printf("[+] Thread handle: 0x%Ix\r\n", (SIZE_T)hThread);
			if (!QueueUserAPC((PAPCFUNC)lpBaseAddress, hThread, NULL))
				printf("[-] QueueUserAPC error, trying next thread...\r\n");
				printf("[+] Shellcoded ijected via QueueUserAPC\r\n");

Our test case will used the KISGUI.exe as our target of injection. Successful injection will kill the KISGUI.exe and executes CMD.exe. KISGUI crashed: Screenshot broadcast

Executes CMD.exe from the installation folder: Screenshot broadcast

Parent process from KISGUI:

Screenshot broadcast

Disclosure timeline

2019-01-02 - Reported to Kyrol Labs (via email)
2019-01-04 - Vendor ack but they seems to be confuse what is happening.
2019-04-18 - Ask for update, they said give another 2 weeks.
2019-04-18 - NACSA steps in (Thanks Abu!). Video conferencing with the NACSA (twice!).
2019-07-03 - Second meeting with NACSA and vendor. Vendor told us they will come up with new product by October 2019.
2019-09-01 - Third meeting with NACSA and vendor (before we presenting at POC in Korea). Kyrol couldn't release the new product at that time. Considering it as 0-day!
2019-11-07 - We present our findings in POC conference in Korea.
2019-11-19 - Full disclosure. Will look forward to request CVE's for this :)

Sign off for now. Happy Hacking!