Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FW: [Reversemode Advisory] Kaspersky Anti-Virus Privilege Escalation
á ×ÏÔ É ÜËÓÐÌÏÊÔÙ ÄÌÑ ÐÏÓÌÅÄÎÅÊ ÕÑÚ×ÉÍÏÓÔÉ × Kaspersky
> -----Original Message-----
> From: Reversemode [mailto:advisories@xxxxxxxxxxxxxxx]
> Sent: Friday, October 20, 2006 4:25 AM
> To: Securityfocus
> Subject: [Reversemode Advisory] Kaspersky Anti-Virus
> Privilege Escalation
>
>
> Hi,
>
> Kaspersky Products are prone to a local privilege escalation.
> Unprivileged users can exploit this flaw in order to execute arbitrary
> code with Kernel privileges.
>
> Kaspersky implements its NDIS-TDI Hooking Engine using two drivers,
> which rely on an internal system of plugins. Plugin registering is
> performed using a privileged IOCTL. The security descriptor for both
> Devices is insecure so any user can take advantage of this
> ?hidden? feature.
> -------------------------------------------
> .text:0001175F cmp eax, 80052110h ; IOCTL
> .text:00011764 jz loc_117F8
> .text:000117F8 mov esi, [ebp+arg_4]
> .text:000117FB cmp esi, ebx
> .text:000117FD jz loc_119B0
> .text:00011803 cmp [ebp+arg_8], 8 ; InputBufferSize >= 8?
> .text:00011807 jb loc_119B0
> .text:00015331 mov eax, [ebp+arg_0] ; eax == InputBuffer[0] == User
> controlled Address
> .text:00015334 push ecx
> .text:00015335 push edi
> .text:00015336 mov [esi+1ACh], eax
> .text:0001533C call eax ; ; Ring0ShellCode()
> -------------------------------------------
>
> Advisory and two exploits are available at www.reversemode.com
>
> Regards,
> Rub?n Santamarta
>
|
