lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed Jun 8 04:53:18 2005 From: pigrelax at yandex.ru (alex) Subject: Kaspersky antivirus http://www.securitylab.ru/55018.html Kaspersky antivirus v. 5.0.227, 5.0.228, 5.0.335 under Windows2000. There is nothing found under Windows XP. There is Windows2000 security subsystem breakout found inside Kaspersky antivirus v. 5.0.227, 5.0.228, 5.0.335. It is possible to exploit it with local privilege escalation. KAV's resident defence subsystem directly calls functions inside the klif.sys driver from the user level. Page access violation is avoided by clearing of the Supervisor bit of the driver's pages. It makes possible to execute code from the user level inside the driver. Function's entry point is called when dll's loads inside created process or inside the old one. This function is placed by the address 0xBE934FE1 (0xBE934FA0 for the 5.0.335 version), it called by the jmp instruction (0xE9 code), placed by KAV with address kernel32!+0x5DFC2. Jmp entry point is called from the rpcrt4.dll, shell32.dll, ole32.dll, oleaut32.dll, shim.dll libraries. To look at this vulnerability you should place SoftIce breakpoint by the 0xBE934FE1 (0xBE934FA0 for the 5.0.335 version) address and run any new process. Vulnerability exploitation is possible by klif.sys code and data rewriting inside the low level priority process context. After that, if there will created new process with high level priority or any dll will be loaded inside the old one - the exploitation code will be executed with high level privileges. Test exploit is available here: http://www.softsphere.com/security/KAV_exploit.zip www.softsphere.com
Powered by blists - more mailing lists