lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 22 Nov 2019 14:31:13 +0000
From: p3rd1d0s via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] arbitrary file capture in Kaspersky Total Security 2019

+++++++++++++[ Author ]++++++++++++++++++++++++++++++++++++++++++

* /b4s - but this is not important, I am only single a newbie
trying seek after knowledge[1], trying see view the AV on a
deeper level[2], trying harder.

+++++++++++++[ Overview ]++++++++++++++++++++++++++++++++++++++++

A bug in Kaspersky Total Security 2019 (20.0.14.1085) that allows
copying SAM and SYSTEM files on Windows (and files that belong to
others users), making it possible to recover all hashes of the
local users (and files from other users).

+++++++++++++[ Impact ]++++++++++++++++++++++++++++++++++++++++++

Getting (Copying) files that not belong to you and not have
privilege to copy.

+++++++++++++[ Detailed description ]++++++++++++++++++++++++++++

Logged in as an unprivileged user, follow the step-by-step:

1. Access the feature *Backup and Restore*;

2. Backup the folder C:\Windows\System32\config (OR the folder of
other user, sample: If you is abc and your folder is C:\users\abc,
create the backup routine to folder C:\users\cde --- CDE is single
owner e controllert this folder)

3. As this feature runs as SYSTEM, it allows backing up these files;

4. Notice that the backup was concluded successfully;

5. Restore specifically the SAM and SYSTEM files from the previously
created backup;

6. Select a USB Drive as the location for the aforementioned files
to be restored;

7. Notice that the restore process was concluded successfully;

8. Notice that even though the restored files have a strong ACL, it
is possible to access them through a LINUX System (which ignores
these ACLs) and crack the hashes AND that the unprivileged user was
able to copy the protected SAM and SYSTEM files (or the folder of
other user) using the backup and restore functionalities of
Kaspersky Total Security 2019 (20.0.14.1085) and crack the included
hashes within them (or read files of other user).

+++++++++++++[ Regards ]+++++++++++++++++++++++++++++++++++++++++++

* X@n@
* Gr3g0
* P$h3lz1n

+++++++++++++[ Reference ]+++++++++++++++++++++++++++++++++++++++++

[1] The Conscience of a Hacker(+++The Mentor+++, 1986)
[2] KORET and BACHAALANY, 2015

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ