Login Sign Up

CVE-2023-1646

5.3 MEDIUM
Buffer Overflow

📋 TL;DR

A critical stack-based buffer overflow vulnerability exists in IObit Malware Fighter's IMFCameraProtect.sys driver. Local attackers can exploit this via specific IOCTL calls to potentially execute arbitrary code with kernel privileges. This affects users running IObit Malware Fighter 9.4.0.776 on Windows systems.

💻 Affected Systems

Products:
  • IObit Malware Fighter
Versions: 9.4.0.776
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is in the IMFCameraProtect.sys driver component; requires IOCTL handler access.

📦 What is this software?

Malware Fighter by Iobit

View all CVEs affecting Malware Fighter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to SYSTEM/kernel level, enabling full system compromise, persistence installation, and bypassing security controls.

🟠

Likely Case

Local privilege escalation allowing attackers to gain administrative privileges on compromised systems.

🟢

If Mitigated

Limited impact if proper endpoint protection, application control, and least privilege principles are enforced.

🌐 Internet-Facing: LOW - Requires local access; not directly exploitable over network.
🏢 Internal Only: MEDIUM - Local attackers or malware with user-level access could exploit this for privilege escalation within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit code is publicly available; requires local access but no authentication beyond basic user privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest version (check IObit website for specific patched version)

Vendor Advisory: https://www.iobit.com/en/security.php

Restart Required: Yes

Instructions:

1. Open IObit Malware Fighter
2. Navigate to Settings > Update
3. Click 'Check for Updates'
4. Install available updates
5. Restart computer

🔧 Temporary Workarounds

Disable vulnerable driver

windows

Prevent loading of the vulnerable IMFCameraProtect.sys driver

sc stop IMFCCameraProtect
sc delete IMFCCameraProtect

Restrict IOCTL access

windows

Use application control policies to block access to vulnerable IOCTL codes

🧯 If You Can't Patch

  • Uninstall IObit Malware Fighter 9.4.0.776 completely
  • Implement strict application control policies to prevent execution of vulnerable software

🔍 How to Verify

Check if Vulnerable:

Check installed version of IObit Malware Fighter; if version is 9.4.0.776, system is vulnerable

Check Version:

wmic product where name="IObit Malware Fighter" get version

Verify Fix Applied:

Verify IObit Malware Fighter is updated to version newer than 9.4.0.776

📡 Detection & Monitoring

Log Indicators:

  • Driver load events for IMFCameraProtect.sys
  • Process creation with elevated privileges following IOCTL calls
  • Security log events showing privilege escalation

Network Indicators:

  • No direct network indicators - local exploitation only

SIEM Query:

EventID=4688 AND NewProcessName="*" AND ParentProcessName="*" AND CommandLine="*IObit*"

📊 Metadata

CVE ID: CVE-2023-1646
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-121
Published: March 26, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1646, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)