<<< Date Index >>>     <<< Thread Index >>>

[Reversemode Advisory] Kaspersky Anti-Virus Privilege Escalation



Hi,

Kaspersky Products are prone to a local privilege escalation.
Unprivileged users can exploit this flaw in order to execute arbitrary
code with Kernel privileges.

Kaspersky implements its NDIS-TDI Hooking Engine using two drivers,
which rely on an internal system of plugins. Plugin registering is
performed using a privileged IOCTL. The security descriptor for both
Devices is insecure so any user can take advantage of this “hidden” feature.
-------------------------------------------
.text:0001175F cmp eax, 80052110h ; IOCTL
.text:00011764 jz loc_117F8
.text:000117F8 mov esi, [ebp+arg_4]
.text:000117FB cmp esi, ebx
.text:000117FD jz loc_119B0
.text:00011803 cmp [ebp+arg_8], 8 ; InputBufferSize >= 8?
.text:00011807 jb loc_119B0
.text:00015331 mov eax, [ebp+arg_0] ; eax == InputBuffer[0] == User
controlled Address
.text:00015334 push ecx
.text:00015335 push edi
.text:00015336 mov [esi+1ACh], eax
.text:0001533C call eax ; ; Ring0ShellCode()
-------------------------------------------

Advisory and two exploits are available at www.reversemode.com

Regards,
Rubén Santamarta