Critical Vulnerability in K7 Antivirus: How a Regular User Can Gain SYSTEM Privileges

Cybersecurity experts have discovered a new vulnerability in K7 Computing’s K7 Ultimate Security product, leading to a major security issue. This flaw allows ordinary users with limited privileges to gain the highest level of operating system access — SYSTEM rights. Even more concerning, the process bypasses Windows’ UAC (User Account Control) protection.

The issue was found accidentally by security researcher Lucas Leiz (Quarkslab) during his analysis of another vulnerability — CVE-2024-36424 in the K7RKScan.sys driver, which caused a denial-of-service condition.

Root Cause: Misconfigured Named Pipes

During the investigation, researchers identified several SYSTEM-level named pipes used by K7 Security components for inter-process communication. The most dangerous aspect was that some of these pipes were created with excessively permissive access rights.

These include:

It turned out that regular, non-privileged users could open these pipes, send data through them, or replay communication packets without any restrictions. This opened the door to a highly dangerous exploitation chain.

A Regular User Can Execute Commands as SYSTEM

Monitoring with tools such as IoNinja and Procmon revealed that the K7TSMain.exe process modifies the Windows registry via the K7TSMngrService1 pipe while running with SYSTEM privileges.

The research proved that:

  • When configuration settings are changed, the antivirus generates hidden binary payloads.
  • These payloads are processed by a SYSTEM-level component.
  • By replaying these packets, a low-privilege user can disable protection entirely or whitelist a malicious file.

Essentially, this acted as a hidden backdoor for bypassing the security boundary.

Deeper Exploitation: Code Execution as SYSTEM

Quarkslab researchers advanced their exploitation by achieving SYSTEM-level code execution using Windows’ Image File Execution Options (IFEO) mechanism. This technique is listed in MITRE ATT&CK as T1546.012.

They successfully achieved full local privilege escalation by:

  • binding a fake debugger to the K7TSHlpr.exe binary,
  • launching a spoofed update process,
  • executing commands under SYSTEM privileges.

PowerShell scripts automating the entire exploitation flow were also published for defensive analysis.

K7 Patches and Their Bypass Techniques

K7 Computing released three sequential patches to address the vulnerability.

1st Patch:
A pipe client validation mechanism was added.
However, it was bypassed: researchers manually loaded a DLL into the k7tsmngr.exe process and gained access to the TS service.

2nd Patch:
A new version of the K7Sentry.sys driver (22.0.0.70) introduced, blocking DLL injection into protected processes.
This was also bypassed: researchers used other signed K7 executables not included in the protected process list, such as K7QuervarCleaningTool.exe.

3rd Patch:
Additional validation checks were introduced, but Quarkslab still demonstrated bypass methods.

K7 later announced that a full ACL (Access Control List) redesign will only be implemented in a future major product release.

Conclusion: Antivirus Software Itself Can Become a Security Threat

K7 Antivirus operates at the most trusted layer of the system. However, due to poorly designed services, unprotected IPC channels, and weak access permissions, the product ended up posing a threat to the very system it is meant to protect.

This incident once again confirms:

If security tools are not properly and timely secured, they can become the most dangerous vulnerability themselves.

Recommendations for Users and Organizations

1. For K7 users:

  • Update the software to the latest version.
  • Review the patches and follow the recommendations from the official blog.
  • Monitor the system for unusual activity.

2. For IT administrators:

  • Check all K7 agents within the corporate network.
  • Monitor access permissions on named pipes.
  • Scan for indicators of Local Privilege Escalation (LPE).

3. For security professionals:

  • Study the Quarkslab exploitation scripts for defensive purposes.
  • Add monitoring rules for K7 processes to SIEM systems.