Re: Kaspersky AntiVirus Window Caption GUI Bypass Vulnerability

[Tony Montana <c4p0ne () hush com>]

In-Reply-To: <20040930161008.28872.qmail () www securityfocus com>

Hello, this is a response by myself in an attempt to address a flurry of emails regarding some unanswered questions 
about this latest exploit in Kaspersky Anti-Virus Version 5.0x line. I will attempt to answer all the questions I have 
received via email in this thread. I will try the best I can as I have gotten very small amounts of sleep during the 
past few days. First I must apologize as I neglected to supply a few  important (yet standard) pieces of information 
that should be part of any well formatted vulnerability report and they are as follows:


Software:
Kaspersky Anti-Virus Personal

Web Site:
http://www.kaspersky.com

Affected Version(s):
v5.0.149, v5.0.153 (possibly older as well)

Operating System(s)
Microsoft Windows XP Pro w/SP2

To answer some of the questions I've received:

1. I was running all programs tested under Admin privileges including Enabler, and RAMCleaner. I have not yet tested 
with limited privs, however, due to
the nature of this weakness I suspect that even a user with the lowest privileges would be able to leverage this 
attack. I could be wrong so if anyone can verify this before I do myself, please feel free to do so.

2. The underlying machine where the exploit was successfully leverages was running Microsoft Windows XP with the Final 
Build of Service Pack 2 (integrated "fresh" installation). I have not tested on either 98/SE/ME or the server version 
of KAV which runs on Windows Server 2003. Again however due to the simple nature of the exploit I believe it can be 
exploited just as easily on those platforms as well. Again, I have not tested.

3. The functionality I am referring to that can be "bypassed" is KAV's unique ability (unlike MOST Home AV software) to 
have it's interface password-protected. When a user clicks on the "K" icon in the task-tray
in the lower right-hand corner, a password dialog stating "Enter your password" is displayed. A user who does not know 
the password to access the Kaspersky GUI interface (kav.exe) cannot access or "see" current settings, cannot modify 
current settings in any way, and cannot disable or exit the software. The ONLY rights a user who does not know the 
password is 
to view the programs version information, and update the anti-virus signatures.

HOWEVER, it is possible to completely bypass the "Enter your password" dialog box by running one of the mentioned 
utilities (there are MANY more) and accessing the GUI interface caption directly. This is a BIG no-no. This is 
especially upsetting to myself knowing fullwell that you will be hard-pressed to find a better AV software solution 
then KAV which is by all other means, the BEST performing software available on the market detection/stability wise. 
The kavsvc.exe service simply cannot be killed without bringing down the entire machine EVEN UNDER ADMIN PRIVS. But it 
just goes to show that a chain really IS ONLY as strong as it's
weakest link:

kavsvc.exe(Service) = Superbly coded/Unbreakable kav.exe(GUI) = A simple mistake that makes you rub your eyes in 
disbelief because the software is generally 
so superior in every other sense.

4. The Enabler method is even more simple then the RAMCleaner method with the additional "bad-guy bonus" of being able 
to automatically recover the password
stored behind the asterisks once the KAV GUI has been activated. Simply run "enabler.exe" and in the "Object Name 
(Object Type)" window, find the caption that reads "Kaspersky Anti-Virus Personal (#32770)", right-click and select 
"show" from the submenu. Once the KAV interface pops up (again, completely bypassing the
password request dialog) go to the settings tab and select the "Additional Settings" option. There you will be 
presented with the password hidden behind the classic black-dots. Now go back to Enabler, and click the "Start" under 
the "Roaming password finder" option. When you switch windows back to the KAV GUI, you have the password available in 
clear-text. This is ESPECIALLY dangerous because if the network has
many cloned installations with KAV then the malicious user no longer requires the use of these utilities as they can 
freely disable the protection on all of the systems since s/he now knows the administrative password!  

If anyone manages to check-out untested areas we have or haven't discussed here please do not hesitate to post your 
results! It would be much appreciated to help
put a little fire under these guys butts to hurry up and get this "so silly, yet SO dangerous" vulnerability fixed up!