VAR-201412-0060
Vulnerability from variot - Updated: 2025-04-13 23:29Heap-based buffer overflow in the K7FWFilt.sys kernel mode driver (aka K7Firewall Packet Driver) before 14.0.1.16, as used in multiple K7 Computing products, allows local users to execute arbitrary code with kernel privileges via a crafted parameter in a DeviceIoControl API call. K7 Computing K7FWFilt.sys device driver is prone to a local code-execution vulnerability. Failed exploit attempts will likely result in denial-of-service conditions. K7FWFilt.sys 11.0.1.5 and prior are vulnerable. Successful exploitation of this bug results in vertical privilege escalation.
Technical Details:
The function handling IOCTL 0x830020C4 does not validate the size of the output buffer parameter passed in the DeviceIoControl API, which leads to a heap overflow on buffer data initialization. In particular, the function assumes that the output buffer has a size of 0x22C4 bytes. By declaring a smaller buffer we are able to overwrite other data and kernel objects that might follow and potentially control the execution flow via a corrupted kernel object.
ba31cb06 8b7d14 mov edi,dword ptr [ebp+14h] <--- EDI == allocated buffer ba31cb09 ff7514 push dword ptr [ebp+14h] ba31cb0c b9b1080000 mov ecx,8B1h <--- assume buffer size 0x8b1 * 4 ba31cb11 33c0 xor eax,eax <--- zero out EAX ba31cb13 f3ab rep stos dword ptr es:[edi] <--- Heap Overflow
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7136/
Copyright: Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company,
registered in England in accordance with the Companies
Act under number 02763799. The registered office
address of Portcullis Computer Security Limited is:
Portcullis House, 2 Century Court, Tolpits Lane, Watford,
United Kingdom, WD18 9RS.
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and
do not represent the opinion of the organisation. Access
to this email by persons other than the intended recipient
is strictly prohibited.
If you are not the intended recipient, any disclosure,
copying, distribution or other action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice
contained in this email is subject to the terms and
conditions expressed in the applicable Portcullis Computer
Security Limited terms of business.
This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal.
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201412-0060",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "k7firewall packet driver",
"scope": "lte",
"trust": 1.0,
"vendor": "k7computing",
"version": "14.0.1.15"
},
{
"model": "k7firewall packet driver",
"scope": "lt",
"trust": 0.8,
"vendor": "k7 computing",
"version": "14.0.1.16"
},
{
"model": "k7firewall packet driver",
"scope": "eq",
"trust": 0.6,
"vendor": "k7computing",
"version": "14.0.1.15"
},
{
"model": "computing pvt ltd k7fwfilt.sys",
"scope": "eq",
"trust": 0.3,
"vendor": "k7",
"version": "11.0"
},
{
"model": "computing pvt ltd k7fwfilt.sys",
"scope": "eq",
"trust": 0.3,
"vendor": "k7",
"version": "11.0.1.5"
},
{
"model": "computing pvt ltd k7fwfilt.sys",
"scope": "ne",
"trust": 0.3,
"vendor": "k7",
"version": "14.0.1.16"
}
],
"sources": [
{
"db": "BID",
"id": "71611"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005989"
},
{
"db": "CNNVD",
"id": "CNNVD-201412-320"
},
{
"db": "NVD",
"id": "CVE-2014-7136"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:k7computing:k7firewall_packet_driver",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-005989"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kyriakos Economou",
"sources": [
{
"db": "BID",
"id": "71611"
},
{
"db": "PACKETSTORM",
"id": "129474"
}
],
"trust": 0.4
},
"cve": "CVE-2014-7136",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CVE-2014-7136",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "VHN-75080",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-7136",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2014-7136",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201412-320",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-75080",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-75080"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005989"
},
{
"db": "CNNVD",
"id": "CNNVD-201412-320"
},
{
"db": "NVD",
"id": "CVE-2014-7136"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Heap-based buffer overflow in the K7FWFilt.sys kernel mode driver (aka K7Firewall Packet Driver) before 14.0.1.16, as used in multiple K7 Computing products, allows local users to execute arbitrary code with kernel privileges via a crafted parameter in a DeviceIoControl API call. K7 Computing K7FWFilt.sys device driver is prone to a local code-execution vulnerability. Failed exploit attempts will likely result in denial-of-service conditions. \nK7FWFilt.sys 11.0.1.5 and prior are vulnerable. Successful exploitation of this bug results in vertical privilege escalation. \n\nTechnical Details:\n\nThe function handling IOCTL 0x830020C4 does not validate the size of the output buffer parameter passed in the DeviceIoControl API, which leads to a heap overflow on buffer data initialization. In particular, the function assumes that the output buffer has a size of 0x22C4 bytes. By declaring a smaller buffer we are able to overwrite other data and kernel objects that might follow and potentially control the execution flow via a corrupted kernel object. \n\nba31cb06 8b7d14 mov edi,dword ptr [ebp+14h] \u003c--- EDI == allocated buffer\nba31cb09 ff7514 push dword ptr [ebp+14h]\nba31cb0c b9b1080000 mov ecx,8B1h \u003c--- assume buffer size 0x8b1 * 4\nba31cb11 33c0 xor eax,eax \u003c--- zero out EAX\nba31cb13 f3ab rep stos dword ptr es:[edi] \u003c--- Heap Overflow\n\nFurther details at:\n\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7136/\n\nCopyright:\nCopyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. \n\nDisclaimer:\nThe information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user\u0027s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. \n\n\n###############################################################\nThis email originates from the systems of Portcullis\nComputer Security Limited, a Private limited company, \nregistered in England in accordance with the Companies \nAct under number 02763799. The registered office \naddress of Portcullis Computer Security Limited is: \nPortcullis House, 2 Century Court, Tolpits Lane, Watford, \nUnited Kingdom, WD18 9RS. \nThe information in this email is confidential and may be \nlegally privileged. It is intended solely for the addressee. \nAny opinions expressed are those of the individual and \ndo not represent the opinion of the organisation. Access \nto this email by persons other than the intended recipient \nis strictly prohibited. \nIf you are not the intended recipient, any disclosure, \ncopying, distribution or other action taken or omitted to be \ntaken in reliance on it, is prohibited and may be unlawful. \nWhen addressed to our clients any opinions or advice \ncontained in this email is subject to the terms and \nconditions expressed in the applicable Portcullis Computer \nSecurity Limited terms of business. \n###############################################################\n\n#####################################################################################\nThis e-mail message has been scanned for Viruses and Content and cleared \nby MailMarshal. \n#####################################################################################\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-7136"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005989"
},
{
"db": "BID",
"id": "71611"
},
{
"db": "VULHUB",
"id": "VHN-75080"
},
{
"db": "PACKETSTORM",
"id": "129474"
}
],
"trust": 2.07
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-75080",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-75080"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-7136",
"trust": 2.9
},
{
"db": "PACKETSTORM",
"id": "129474",
"trust": 1.8
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005989",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201412-320",
"trust": 0.7
},
{
"db": "BID",
"id": "71611",
"trust": 0.4
},
{
"db": "VULHUB",
"id": "VHN-75080",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-75080"
},
{
"db": "BID",
"id": "71611"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005989"
},
{
"db": "PACKETSTORM",
"id": "129474"
},
{
"db": "CNNVD",
"id": "CNNVD-201412-320"
},
{
"db": "NVD",
"id": "CVE-2014-7136"
}
]
},
"id": "VAR-201412-0060",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-75080"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-13T23:29:40.393000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.k7computing.com/en/consumer.php"
},
{
"title": "setup-eng-ts",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52999"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-005989"
},
{
"db": "CNNVD",
"id": "CNNVD-201412-320"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-75080"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005989"
},
{
"db": "NVD",
"id": "CVE-2014-7136"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.9,
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7136/"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2014/dec/47"
},
{
"trust": 1.7,
"url": "http://packetstormsecurity.com/files/129474/k7-computing-multiple-products-k7fwfilt.sys-privilege-escalation.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-7136"
},
{
"trust": 0.8,
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7136"
},
{
"trust": 0.3,
"url": "http://www.k7computing.com/en/product/k7-antivirusplus.php"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-7136"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-75080"
},
{
"db": "BID",
"id": "71611"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005989"
},
{
"db": "PACKETSTORM",
"id": "129474"
},
{
"db": "CNNVD",
"id": "CNNVD-201412-320"
},
{
"db": "NVD",
"id": "CVE-2014-7136"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-75080"
},
{
"db": "BID",
"id": "71611"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005989"
},
{
"db": "PACKETSTORM",
"id": "129474"
},
{
"db": "CNNVD",
"id": "CNNVD-201412-320"
},
{
"db": "NVD",
"id": "CVE-2014-7136"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-12-12T00:00:00",
"db": "VULHUB",
"id": "VHN-75080"
},
{
"date": "2014-12-05T00:00:00",
"db": "BID",
"id": "71611"
},
{
"date": "2014-12-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-005989"
},
{
"date": "2014-12-10T20:32:22",
"db": "PACKETSTORM",
"id": "129474"
},
{
"date": "2014-12-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201412-320"
},
{
"date": "2014-12-12T15:59:07.073000",
"db": "NVD",
"id": "CVE-2014-7136"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-12-15T00:00:00",
"db": "VULHUB",
"id": "VHN-75080"
},
{
"date": "2014-12-05T00:00:00",
"db": "BID",
"id": "71611"
},
{
"date": "2014-12-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-005989"
},
{
"date": "2014-12-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201412-320"
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2014-7136"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "71611"
},
{
"db": "CNNVD",
"id": "CNNVD-201412-320"
}
],
"trust": 0.9
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural K7 Computing Used in products K7FWFilt.sys Heap-based buffer overflow vulnerability in kernel mode driver",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-005989"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201412-320"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…