CVE-2019-15661
📋 TL;DR
This vulnerability in Rivet Killer Control Center allows local attackers to execute arbitrary code or escalate privileges through a stack-based buffer overflow. Attackers can exploit improper parameter validation in the KfeCo10X64.sys driver via IOCTL 0x120004. Users with Killer Control Center software installed on Windows systems are affected.
💻 Affected Systems
- Rivet Killer Control Center
- Killer Networking software
📦 What is this software?
Killer Control Center by Killernetworking
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with kernel-level code execution, allowing attackers to install persistent malware, steal credentials, or disable security controls.
Likely Case
Local privilege escalation from a standard user to SYSTEM/administrator privileges, enabling lateral movement and persistence establishment.
If Mitigated
Limited impact with proper endpoint protection, application control, and least privilege principles in place.
🎯 Exploit Status
Exploitation requires local access but is relatively straightforward once access is obtained. The FireEye disclosure includes technical details that could facilitate weaponization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.1352 and later
Vendor Advisory: https://support.killernetworking.com/downloads/ReleaseNotes/KillerSoftware_Release_Notes_2.1.1352.pdf
Restart Required: Yes
Instructions:
1. Download Killer Control Center version 2.1.1352 or later from official Killer Networking website. 2. Uninstall previous version. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Disable or remove vulnerable driver
windowsPrevent loading of the vulnerable KfeCo10X64.sys driver
sc stop KfeCo10X64
sc delete KfeCo10X64
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\KfeCo10X64" /f
Uninstall Killer Control Center
windowsRemove vulnerable software entirely
appwiz.cpl
Select 'Killer Control Center' and click Uninstall
🧯 If You Can't Patch
- Implement application control to block execution of Killer Control Center and related components
- Enforce least privilege principles to limit impact of privilege escalation
🔍 How to Verify
Check if Vulnerable:
Check if KfeCo10X64.sys driver exists in system32\drivers and Killer Control Center version is below 2.1.1352Check Version:
wmic product where "name like '%Killer%'" get versionVerify Fix Applied:
Verify Killer Control Center version is 2.1.1352 or higher and KfeCo10X64.sys driver has been updated📡 Detection & Monitoring
Log Indicators:
- Driver load events for KfeCo10X64.sys
- Process creation from Killer Control Center components
- IOCTL calls to vulnerable driver
Network Indicators:
- No specific network indicators as this is a local vulnerability
SIEM Query:
EventID=7045 AND ServiceName="KfeCo10X64" OR ProcessName="KillerControlCenter.exe"🔗 References
- https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2019-0005/FEYE-2019-0005.md
- https://support.killernetworking.com/downloads/ReleaseNotes/KillerSoftware_Release_Notes_2.1.1352.pdf
- https://www.killernetworking.com
- https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2019-0005/FEYE-2019-0005.md
- https://support.killernetworking.com/downloads/ReleaseNotes/KillerSoftware_Release_Notes_2.1.1352.pdf
- https://www.killernetworking.com
