Kaspersky antivirus

["alex" <pigrelax () yandex ru>]

http://www.securitylab.ru/55018.html


Kaspersky antivirus v. 5.0.227, 5.0.228, 5.0.335 under Windows2000. There is
nothing found under Windows XP.

There is Windows2000 security subsystem breakout found inside Kaspersky
antivirus v. 5.0.227, 5.0.228, 5.0.335. It is possible to exploit it with
local privilege escalation. KAV's resident defence subsystem directly calls
functions inside the klif.sys driver from the user level. Page access
violation is avoided by clearing of the Supervisor bit of the driver's
pages. It makes possible to execute code from the user level inside the
driver. Function's entry point is called when dll's loads inside created
process or inside the old one.

This function is placed by the address 0xBE934FE1 (0xBE934FA0 for the
5.0.335 version), it called by the jmp instruction (0xE9 code), placed by
KAV with address kernel32!+0x5DFC2. Jmp entry point is called from the
rpcrt4.dll, shell32.dll, ole32.dll, oleaut32.dll, shim.dll libraries.

To look at this vulnerability you should place SoftIce breakpoint by the
0xBE934FE1 (0xBE934FA0 for the 5.0.335 version) address and run any new
process.

Vulnerability exploitation is possible by klif.sys code and data rewriting
inside the low level priority process context. After that, if there will
created new process with high level priority or any dll will be loaded
inside the old one - the exploitation code will be executed with high level
privileges.

Test exploit is available here:
http://www.softsphere.com/security/KAV_exploit.zip

www.softsphere.com





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/