CVEs-PoC/2021/CVE-2021-31727.md

### [CVE-2021-31727](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31727)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 where IOCTL's 0x80002014, 0x80002018 expose unrestricted disk read/write capabilities respectively. A non-privileged process can open a handle to \.\ZemanaAntiMalware, register with the driver using IOCTL 0x80002010 and send these IOCTL's to escalate privileges by overwriting the boot sector or overwriting critical code in the pagefile.

### POC

#### Reference
- https://github.com/irql0/CVE-2021-31728/blob/master/CVE-2021-31727.md

#### Github
- https://github.com/irql/CVE-2021-31728
- https://github.com/irql0/CVE-2021-31728
- https://github.com/mathisvickie/KMAC