# CVE-2022-25949

A years-old exploit of a local EoP vulnerability in Kingsoft Antivirus KWatch Driver version 2009.3.17.77.

## 2009..?

I reported the issue in January 2014 and was notified of the CVE 8+ years later. I decided to upload this because it is amusing enough to find my old code and that it took that long.

Thus, this must not be a new vulnerability despite the new CVE -- a quick search showed multiple reports for the same-looking vulnerability already.

## Timeline

- Jan 12, 2014: I submit the issue to IPA
- Jan 15, 2014: IPA acknowledges the submission
- Mar 10, 2022: IPA notifies me for publication (I ignored it. I thought it was spam)
- Mar 15, 2022: An [advisary]( published

I sill thank IPA for doing their parts and making my day.

## Notes

The vulnerable file appears to be [ffdedbaeccbcf0b697675b24ca313cbb8e1c9ba1bd2f0a0b58a2d6a04a038479](

// Exploit for Kingsoft Antivirus KWatch Driver (KWatch3.sys)
// Target File Version: 2009.3.17.77
// Affected Product: Kingsoft Internet Security 9 Plus

Shellcode is located at 7E7E7E7E.
The device was opened as 00000020.
Shellcode was executed.
The SYSTEM shell was launched.
This process will be suspended for ever.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

nt authority\system