A serious privilege escalation vulnerability in K7 Ultimate Security, an antivirus product from K7 Computing, was found by abusing named pipes with overly permissive access control lists.
This flaw enables low-privileged users to manipulate registry settings and achieve SYSTEM-level access without triggering UAC prompts, prompting multiple patch attempts that researchers bypassed.
The issue surfaced during the investigation by Security researcher Lucas Laise from Quarkslab uncovered an unrelated denial-of-service vulnerability, CVE-2024-36424, affecting K7RKScan.sys in versions before 17.0.2019.
Initial testing on version 17.0.2045 revealed limited functionality for non-admin users, including the inability to modify configurations without elevation.
Administrators could enable “non-admin users can change settings and disable protection” without UAC, hinting at inter-process communication flaws. Tools like PipeViewer identified SYSTEM-owned named pipes, including .pipeK7MailProxyV1 with full permissions and .pipeK7TSMngrService1 used by K7TSMain.exe for registry modifications.
IoNinja captures confirmed binary payloads sent to K7TSMngrService1 during setting changes, with Procmon verifying SYSTEM-context execution. This communication path became the exploitation vector, as low-privilege processes could impersonate legitimate requests.
Attackers replay captured packets via PowerShell to enable universal configuration tampering, disabling real-time scans or whitelisting malware.
Further refinement targeted registry key AdminNonAdminIsValid; a one-byte length manipulation (B9 to B8 hex) allowed arbitrary value injection, evading validation.
For full local privilege escalation, researchers exploited Image File Execution Options (MITRE ATT&CK T1546.012) by setting a debugger on K7TSHlpr.exe to execute arbitrary code as SYSTEM during fake updates. A provided script creates a batch file for new admin users, triggers the update, and cleans up.
K7 issued three patches: first added caller validation on K7TSMngrService1, bypassed via manual DLL mapping into k7tsmngr.exe. The second, via K7Sentry.sys driver version 22.0.0.70, blocked injection into protected processes, circumvented using renamed signed K7 binaries like K7QuervarCleaningTool.exe outside protected lists.
Root-cause analysis in IDA Pro revealed that ValidatePipeClient checks for the installation path, MD5 hashes, and K7 signatures, plus K7Sentry’s VDefProtectedProcs registry whitelist. Bypasses relied on unsigned or relocated signed binaries, evading both pipe access and protection hooks.
Responsible disclosure spanned August to December 2025, with Quarkslab notifying K7 on August 25 and publishing on December 2 after bypass confirmations. K7 deferred full ACL enforcement to a future major release, acknowledging interim fixes.
Users should update to the latest versions and monitor for comprehensive remediation. Exploit scripts are available on the Quarkslab blog for defensive analysis.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
