Vulnerability Development mailing list archives
Re: Kaspersky AntiVirus Window Caption GUI Bypass Vulnerability
From: Tony Montana <c4p0ne () hush com>
Date: 1 Oct 2004 11:56:00 -0000
In-Reply-To: <20040930161008.28872.qmail () www securityfocus com> Hello, this is a response by myself in an attempt to address a flurry of emails regarding some unanswered questions about this latest exploit in Kaspersky Anti-Virus Version 5.0x line. I will attempt to answer all the questions I have received via email in this thread. I will try the best I can as I have gotten very small amounts of sleep during the past few days. First I must apologize as I neglected to supply a few important (yet standard) pieces of information that should be part of any well formatted vulnerability report and they are as follows: Software: Kaspersky Anti-Virus Personal Web Site: http://www.kaspersky.com Affected Version(s): v5.0.149, v5.0.153 (possibly older as well) Operating System(s) Microsoft Windows XP Pro w/SP2 To answer some of the questions I've received: 1. I was running all programs tested under Admin privileges including Enabler, and RAMCleaner. I have not yet tested with limited privs, however, due to the nature of this weakness I suspect that even a user with the lowest privileges would be able to leverage this attack. I could be wrong so if anyone can verify this before I do myself, please feel free to do so. 2. The underlying machine where the exploit was successfully leverages was running Microsoft Windows XP with the Final Build of Service Pack 2 (integrated "fresh" installation). I have not tested on either 98/SE/ME or the server version of KAV which runs on Windows Server 2003. Again however due to the simple nature of the exploit I believe it can be exploited just as easily on those platforms as well. Again, I have not tested. 3. The functionality I am referring to that can be "bypassed" is KAV's unique ability (unlike MOST Home AV software) to have it's interface password-protected. When a user clicks on the "K" icon in the task-tray in the lower right-hand corner, a password dialog stating "Enter your password" is displayed. A user who does not know the password to access the Kaspersky GUI interface (kav.exe) cannot access or "see" current settings, cannot modify current settings in any way, and cannot disable or exit the software. The ONLY rights a user who does not know the password is to view the programs version information, and update the anti-virus signatures. HOWEVER, it is possible to completely bypass the "Enter your password" dialog box by running one of the mentioned utilities (there are MANY more) and accessing the GUI interface caption directly. This is a BIG no-no. This is especially upsetting to myself knowing fullwell that you will be hard-pressed to find a better AV software solution then KAV which is by all other means, the BEST performing software available on the market detection/stability wise. The kavsvc.exe service simply cannot be killed without bringing down the entire machine EVEN UNDER ADMIN PRIVS. But it just goes to show that a chain really IS ONLY as strong as it's weakest link: kavsvc.exe(Service) = Superbly coded/Unbreakable kav.exe(GUI) = A simple mistake that makes you rub your eyes in disbelief because the software is generally so superior in every other sense. 4. The Enabler method is even more simple then the RAMCleaner method with the additional "bad-guy bonus" of being able to automatically recover the password stored behind the asterisks once the KAV GUI has been activated. Simply run "enabler.exe" and in the "Object Name (Object Type)" window, find the caption that reads "Kaspersky Anti-Virus Personal (#32770)", right-click and select "show" from the submenu. Once the KAV interface pops up (again, completely bypassing the password request dialog) go to the settings tab and select the "Additional Settings" option. There you will be presented with the password hidden behind the classic black-dots. Now go back to Enabler, and click the "Start" under the "Roaming password finder" option. When you switch windows back to the KAV GUI, you have the password available in clear-text. This is ESPECIALLY dangerous because if the network has many cloned installations with KAV then the malicious user no longer requires the use of these utilities as they can freely disable the protection on all of the systems since s/he now knows the administrative password! If anyone manages to check-out untested areas we have or haven't discussed here please do not hesitate to post your results! It would be much appreciated to help put a little fire under these guys butts to hurry up and get this "so silly, yet SO dangerous" vulnerability fixed up!
Current thread:
- Re: Kaspersky AntiVirus Window Caption GUI Bypass Vulnerability Tony Montana (Oct 01)
- <Possible follow-ups>
- Re: Kaspersky AntiVirus Window Caption GUI Bypass Vulnerability miguel . dilaj (Oct 05)