Severity: High

  • Zemana AntiMalware (zamguard64.sys, zamguard32.sys) v. <= 3.2.28
  • Zemana AntiLogger (zam64.sys, zam32.sys) v. <= 2.74.204.664

are affected by an Incorrect Access Control vulnerability where IOCTLs 0x8000204C allow a non-privileged user to open a handle to any privileged process running on the machine. A non-privileged user can open a handle to the \.\ZemanaAntiMalware device, register within the driver using IOCTL 0x80002010 and send the IOCTL mentioned above to get a handle to any privileged process. Attackers could exploit this issue by injecting arbitrary code in the context of the privileged process to achieve local privilege escalation in the context of NT AUTHORITY\SYSTEM.