ThreatFire System Monitor Privilege Escalation Vulnerability via Insecure IOCTL

A vulnerability in the ThreatFire System Monitor kernel driver, version 4.7.0.53, allows attackers to escalate privileges and execute arbitrary commands. This issue arises from incorrect access control, which enables low-privileged users to terminate processes with kernel-mode privileges. The vulnerability can disrupt protected system processes, including anti-malware and endpoint detection and response (EDR) solutions, leading to local EDR bypass and denial-of-service conditions.

Impact

Exploitation of this vulnerability allows for unauthorized process termination with kernel privileges, potentially disrupting critical system functions and bypassing security measures.

Reproduction

The vulnerability can be reproduced by sending a request to the affected driver using an insecure IOCTL that lacks proper access control. This can be done by a low-privileged user, who can then terminate processes with kernel-mode privileges, including those protected by the Process Protection Level (PPL) feature.