Full Disclosure mailing list archives
arbitrary file capture in Kaspersky Total Security 2019
From: p3rd1d0s via Fulldisclosure <fulldisclosure () seclists org>
Date: Fri, 22 Nov 2019 14:31:13 +0000
+++++++++++++[ Author ]++++++++++++++++++++++++++++++++++++++++++ * /b4s - but this is not important, I am only single a newbie trying seek after knowledge[1], trying see view the AV on a deeper level[2], trying harder. +++++++++++++[ Overview ]++++++++++++++++++++++++++++++++++++++++ A bug in Kaspersky Total Security 2019 (20.0.14.1085) that allows copying SAM and SYSTEM files on Windows (and files that belong to others users), making it possible to recover all hashes of the local users (and files from other users). +++++++++++++[ Impact ]++++++++++++++++++++++++++++++++++++++++++ Getting (Copying) files that not belong to you and not have privilege to copy. +++++++++++++[ Detailed description ]++++++++++++++++++++++++++++ Logged in as an unprivileged user, follow the step-by-step: 1. Access the feature *Backup and Restore*; 2. Backup the folder C:\Windows\System32\config (OR the folder of other user, sample: If you is abc and your folder is C:\users\abc, create the backup routine to folder C:\users\cde --- CDE is single owner e controllert this folder) 3. As this feature runs as SYSTEM, it allows backing up these files; 4. Notice that the backup was concluded successfully; 5. Restore specifically the SAM and SYSTEM files from the previously created backup; 6. Select a USB Drive as the location for the aforementioned files to be restored; 7. Notice that the restore process was concluded successfully; 8. Notice that even though the restored files have a strong ACL, it is possible to access them through a LINUX System (which ignores these ACLs) and crack the hashes AND that the unprivileged user was able to copy the protected SAM and SYSTEM files (or the folder of other user) using the backup and restore functionalities of Kaspersky Total Security 2019 (20.0.14.1085) and crack the included hashes within them (or read files of other user). +++++++++++++[ Regards ]+++++++++++++++++++++++++++++++++++++++++++ * X@n@ * Gr3g0 * P$h3lz1n +++++++++++++[ Reference ]+++++++++++++++++++++++++++++++++++++++++ [1] The Conscience of a Hacker(+++The Mentor+++, 1986) [2] KORET and BACHAALANY, 2015 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- arbitrary file capture in Kaspersky Total Security 2019 p3rd1d0s via Fulldisclosure (Nov 22)