[<prev] [next>] [day] [month] [year] [list]
Message-ID: <45381766.1030006@reversemode.com>
Date: Fri, 20 Oct 2006 02:25:10 +0200
From: Reversemode <advisories@...ersemode.com>
To: Securityfocus <bugtraq@...urityfocus.com>
Subject: [Reversemode Advisory] Kaspersky Anti-Virus Privilege Escalation
Hi,
Kaspersky Products are prone to a local privilege escalation.
Unprivileged users can exploit this flaw in order to execute arbitrary
code with Kernel privileges.
Kaspersky implements its NDIS-TDI Hooking Engine using two drivers,
which rely on an internal system of plugins. Plugin registering is
performed using a privileged IOCTL. The security descriptor for both
Devices is insecure so any user can take advantage of this “hidden” feature.
-------------------------------------------
.text:0001175F cmp eax, 80052110h ; IOCTL
.text:00011764 jz loc_117F8
.text:000117F8 mov esi, [ebp+arg_4]
.text:000117FB cmp esi, ebx
.text:000117FD jz loc_119B0
.text:00011803 cmp [ebp+arg_8], 8 ; InputBufferSize >= 8?
.text:00011807 jb loc_119B0
.text:00015331 mov eax, [ebp+arg_0] ; eax == InputBuffer[0] == User
controlled Address
.text:00015334 push ecx
.text:00015335 push edi
.text:00015336 mov [esi+1ACh], eax
.text:0001533C call eax ; ; Ring0ShellCode()
-------------------------------------------
Advisory and two exploits are available at www.reversemode.com
Regards,
Rubén Santamarta
Powered by blists - more mailing lists