Re: [DSECRG-11-018] Kaspersky administration Kit - Remote code execution via SMBRelay

["Vladimir '3APA3A' Dubrovin" <3APA3A () securityvulns ru>]

Dear Alexandr Polyakov,

AFAIK, SMB NTLM relaying was closed with MS08-068 and Kerberos was never
possible  to  relay. Are you sure authentication is really possible with
patched windows systems?

--Monday, April 25, 2011, 12:21:57 PM, you wrote to bugtraq () securityfocus com:



AP> Digital Security Research Group [DSecRG] Advisory       #DSECRG-11-018

AP> Application:             Kaspersky Administration Kit
AP> Versions Affected:       from 6.0
AP> Vendor URL:              http://www.kaspersky.com
AP> Bug:                     Design flaw
AP> Exploits:                YES
AP> Reported:                22.01.2011
AP> Vendor response:         22.01.2011
AP> Solution:                disable IP scan
AP> Date of Public Advisory: 14.03.2011
AP> Authors:                 Alexey Sintsov of Digital Security Research Group [DSecRG]



AP> Description
AP> ***********

AP> Service account used for Kaspersky Administration Kit and it
AP> functional make possible attack on other hosts
AP> in a corporate network.

AP> Details
AP> *******

AP> Functional called "Scan IP subnets" is enabled by default in Kaspersky Administration Kit 6.
AP> This function makes ICMP scan and also tries to use SMB
AP> protocol by using service account which can be
AP> used to run SMBrelay attack and gain full control on secured
AP> network. By default "Scan IP subnets" 
AP> scans  subnet every 7 hours. Attacker just needs to run
AP> SMBRelay tool and wait. Attack is possible
AP> because  Kaspersky service account have Administrative rights on hosts in corporate network.
AP> It's mean that attacker can attack any server or workstation
AP> where this service account has rights. 

AP> Fix Information
AP> ***************

AP> 1) Do not start Administration Server service under a Domain Administrator account
AP> or a domain account member of local administrators group on other hosts.
AP> 2) Disable "Scan IP subnets"


AP> http://support.kaspersky.com/faq/?qid=208284121 


AP> References
AP> *********

AP> http://dsecrg.ru/pages/vul/show.php?id=318
AP> http://dsecrg.blogspot.com/2011/03/smbrelay-bible-4-smbrelay-with-no.html

AP> About DSecRG
AP> *******
AP> The main mission of DSecRG is to conduct researches of business
AP> critical systems such as ERP, CRM, SRM, BI, SCADA, banking software
AP> and others. The result of this work is then integrates in ERPSCAN
AP> security scanner. Being on the top edge of ERP and SAP security
AP> DSecRG research helps to improve a quality of ERPSCAN consulting
AP> services and protects you from the latest threads. 
AP> Contact: research [at] dsecrg [dot] com
AP> http://www.dsecrg.com 

AP> About ERPScan
AP> *******
AP> ERPScan is an innovative company engaged in the research of ERP
AP> security and develops products for ERP system security assessment.
AP> Apart from this the company renders consulting services for secure
AP> configuration, development and implementation of ERP systems, and
AP> conducts comprehensive assessments and penetration testing of custom
AP> solutions.
AP> Our flagship products are "ERPScan Security Scanner for SAP"
AP> and service "ERPScan Online" which can help customers to perform
AP> automated security assessments and compliance checks for SAP
AP> solutions.

AP> “ERPScan Security Scanner for SAP” is an innovative product for
AP> integrated assessment of SAP platform security and standard
AP> compliance.

AP> Contact: info [at] erpscan [dot] com
AP> http://www.erpscan.com




AP> Polyakov Alexandr. PCI QSA,PA-QSA
AP> CTO Digital Security
AP> Head of DSecRG
AP> ______________________
AP> DIGITAL SECURITY
AP> phone:  +7 812 703 1547
AP>         +7 812 430 9130
AP> e-mail: a.polyakov () dsec ru  

AP> www.dsec.ru
AP> www.dsecrg.com www.dsecrg.ru
AP> www.erpscan.com www.erpscan.ru
AP> www.pcidssru.com www.pcidss.ru


AP> -----------------------------------
AP> This message and any attachment are confidential and may be
AP> privileged or otherwise protected 
AP> from disclosure. If you are not the intended recipient any use,
AP> distribution, copying or disclosure 
AP> is strictly prohibited. If you have received this message in
AP> error, please notify the sender immediately 
AP> either by telephone or by e-mail and delete this message and
AP> any attachment from your system. Correspondence 
AP> via e-mail is for information purposes only. Digital Security
AP> neither makes nor accepts legally binding 
AP> statements by e-mail unless otherwise agreed. 
AP> -----------------------------------


-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Неприятности начнутся в восемь.  (Твен)