Advisories

Zemana AntiLogger v2.74.204.664 - DoS

5.5

Medium

Discovered by 

Andres Roldan

Andres Roldan

Offensive Team, Fluid Attacks

Summary

Full name

Zemana AntiLogger v2.74.204.664 - Denial of Service (DoS)

Code name

Hassan

State

Public

Release date

Mar 14, 2024

Affected product

Zemana AntiLogger

Vendor

Zemana Ltd.

Affected version(s)

Version 2.74.204.664

Vulnerability name

Denial of Service (DoS)

Vulnerability type

002. Asymmetric Denial of Service

Remotely exploitable

No

CVSS v3.0 vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v3.0 base score

5.5

Exploit available

Yes

CVE ID(s)

CVE-2024-2204

Description

Zemana AntiLogger v2.74.204.664 is vulnerable to a Denial of Service (DoS) vulnerability by triggering the 0x80002004 and 0x80002010 IOCTL codes of the zam64.sys and zamguard64.sys drivers.

Vulnerability

The 0x80002004 and 0x80002010 IOCTL codes of the zam64.sys and zamguard64.sys drivers are vulnerable to Denial of Service (DoS) leading to a BSOD of the affected computer caused by a NULL pointer dereference.

In order to perform calls to any IOCTL of the zam64.sys and zamguard64.sys driver, a call to the IOCTL 0x80002010 must be performed with the current process ID as an authorized IOCTL process caller:

if ( IoctlCode != 0x80002010 )
{
 if ( IoctlCode + 0x7FFFDFAC > 0x10
    || (CurrentStackLocation = 0x11001i64, !_bittest((const int *)&CurrentStackLocation, IoctlCode + 0x7FFFDFAC)) )
    {
    if ( (unsigned int)sub_140009BE4(CurrentStackLocation, "Main.c") && !(unsigned int)sub_140009BEC(v6, 1i64) )
    {
        v3 = 0xC0000022;
        DnsPrint_RpcZoneInfo(
        7,
        (unsigned int)"Main.c",
        0x1E2,
        (unsigned int)"DeviceIoControlHandler",
        0xC0000022,
        "ProcessID %d is not authorized to send IOCTLs ",
        v6);
        goto LABEL_79

The handling code of the 0x80002010 IOCTL calls sub_14000F4B4:

__int64 __fastcall sub_14000F4B4(unsigned int *SystemBuffer, __int64 a2, _DWORD *a3, _DWORD *a4)
{
  struct _UNICODE_STRING *v4; // rdi
  unsigned int v8; // eax
  __int64 result; // rax
  __int64 v10; // [rsp+50h] [rbp+8h] BYREF

  v10 = 0i64;
  v4 = (struct _UNICODE_STRING *)(SystemBuffer + 0x1D);  // [1]
  DnsPrint_RpcZoneInfo(
    1,
    (unsigned int)"IoctlHandler.c",
    0x16,
    (unsigned int)"IoctlCreateFileBypassFilters",
    0,
    "Request %ws",
    SystemBuffer + 0x1D);  // [2]
  v8 = SystemBuffer[2];
  if ( (v8 & 2) != 0 || (v8 & 0x100) != 0 )
    sub_14000C33C(v4, *SystemBuffer);
  result = sub_14000AC2C(v4, *SystemBuffer, SystemBuffer[1], 1, SystemBuffer[2], 7u, SystemBuffer[3], (void **)&v10);  //[3]

That function receives the SystemBuffer variable as a first parameter. When the nInBufferSize value of the IOCTL request call is 0 and the lpInBuffer is NULL, the value of SystemBuffer is also 0. However, there are not checks ([1], [2], [3]) for such case before trying to dereference the variable. The result is a NULL pointer dereference:

Our security policy

We have reserved the ID CVE-2024-2204 to refer to this issue from now on.

Disclosure policy

System Information

  • Version: Zemana AntiLogger v2.74.204.664

  • Operating System: Windows

Mitigation

There is currently no patch available for this vulnerability.

References

Timeline

Vulnerability discovered

Feb 23, 2024

Vendor contacted

Mar 5, 2024

Public disclosure

Mar 14, 2024

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Plans

Advisories

EN

Contact sales

Log in

Try for free

EN

Contact sales

Try for free

Plans

Advisories

EN

Contact sales

Log in

Try for free

EN

Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.

Products

Platform

SAST

DAST

SCA

CSPM

PTaaS

Secure code review

Reverse engineering

Solutions

Continuous Hacking

AppSec

Cloud security

ASPM

RBVM

SSCS

Compliance

DevSecOps

Targets

Web applications

Mobile applications

APIs and microservices

Containers

Infrastructure as code

Cloud infrastructure

Resources

Advisories

Blog

Downloadables

Cybersecurity essentials

Documentation

Courses on our platform

Company

About us

Clients

Certifications

Partners

Careers

SOC 2 Type II

SOC 3

Subscribe to our newsletter

Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.

Subscribe

© 2025 Fluid Attacks. We hack your software.

Terms of use

Privacy policy

System status

Cookie policy

Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.

Products

Platform

SAST

DAST

SCA

CSPM

PTaaS

Secure code review

Reverse engineering

Solutions

Continuous Hacking

AppSec

Cloud security

ASPM

RBVM

SSCS

Compliance

DevSecOps

Targets

Web applications

Mobile applications

APIs and microservices

Containers

Infrastructure as code

Cloud infrastructure

Resources

Advisories

Blog

Downloadables

Cybersecurity essentials

Documentation

Courses on our platform

Company

About us

Clients

Certifications

Partners

Careers

SOC 2 Type II

SOC 3

Subscribe to our newsletter

Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.

Subscribe

© 2025 Fluid Attacks. We hack your software.

Terms of use

Privacy policy

System status

Cookie policy

Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.

Products

Platform

SAST

DAST

SCA

CSPM

PTaaS

Secure code review

Reverse engineering

Solutions

Continuous Hacking

AppSec

Cloud security

ASPM

RBVM

SSCS

Compliance

DevSecOps

Targets

Web applications

Mobile applications

APIs and microservices

Containers

Infrastructure as code

Cloud infrastructure

Resources

Advisories

Blog

Downloadables

Cybersecurity essentials

Documentation

Courses on our platform

Company

About us

Clients

Certifications

Partners

Careers

SOC 2 Type II

SOC 3

Subscribe to our newsletter

Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.

Subscribe

© 2025 Fluid Attacks. We hack your software.

Terms of use

Privacy policy

System status

Cookie policy