lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed Jun  8 04:53:18 2005
From: pigrelax at yandex.ru (alex)
Subject: Kaspersky antivirus 


http://www.securitylab.ru/55018.html


Kaspersky antivirus v. 5.0.227, 5.0.228, 5.0.335 under Windows2000. There is
nothing found under Windows XP.

There is Windows2000 security subsystem breakout found inside Kaspersky
antivirus v. 5.0.227, 5.0.228, 5.0.335. It is possible to exploit it with
local privilege escalation. KAV's resident defence subsystem directly calls
functions inside the klif.sys driver from the user level. Page access
violation is avoided by clearing of the Supervisor bit of the driver's
pages. It makes possible to execute code from the user level inside the
driver. Function's entry point is called when dll's loads inside created
process or inside the old one.

This function is placed by the address 0xBE934FE1 (0xBE934FA0 for the
5.0.335 version), it called by the jmp instruction (0xE9 code), placed by
KAV with address kernel32!+0x5DFC2. Jmp entry point is called from the
rpcrt4.dll, shell32.dll, ole32.dll, oleaut32.dll, shim.dll libraries.

To look at this vulnerability you should place SoftIce breakpoint by the
0xBE934FE1 (0xBE934FA0 for the 5.0.335 version) address and run any new
process.

Vulnerability exploitation is possible by klif.sys code and data rewriting
inside the low level priority process context. After that, if there will
created new process with high level priority or any dll will be loaded
inside the old one - the exploitation code will be executed with high level
privileges.

Test exploit is available here:
http://www.softsphere.com/security/KAV_exploit.zip

www.softsphere.com





Powered by blists - more mailing lists