Re: Kaspersky AntiVirus Window Caption GUI Bypass Vulnerability

[miguel.dilaj () pharma novartis com]

Hi Tony,

I used a similar trick in the past to deactivate McAffee 4.x (needed to 
use some xploits like Debploit and runasx in WinNT4, at that time the only 
protection was the antivirus, now we migrated to XP).
The configuration GUI was password protected, and even when the passwords 
were show as asterisks tools to reveal passwords hidden by asterisks only 
show a dummy string ('12345678').
But tools to activate greyed controls worked like a charm, so in fact it 
was possible to activate them and change the settings, deactivate the AV, 
etc.
The tool I used for the trick was VeoVeo, a Spanish tool available at 
www.hackindex.org (that has functionalities to reveal passwords hidden by 
asterisks, activate greyed controls, activate greyed menu items, and a 
simple keylogger that doesn't need administrative privileges to be 
installed/used).
The point for me is that, even when NAI commit a mistake by providing the 
configuration GUI to be available for control activation, the real problem 
is Windows (IMHO) that allows that, not the antivirus itself. With the 
same kind of "tricks" you can go activating controls all along your 
Windoze applications, with more than unpredictable results ;-)
Just my $0.02...
Cheers,

Miguel
aka Nekromancer




Tony Montana wrote:
> I have discovered that the GUI part of KAV v5.0x (kav.exe) has a 
vulnerability that would allow any user to completely BYPASS the "password 
> protection" in order to change settings or completely disable/exit KAV. 
There are dosens of shareware/freeware applications available on the 
> internet that a user with malicious intentions could use to leverage this 
new vulnerability in KAV. The main 2 that I've tested so far are 
> "Enabler" and "Ramcleaner" by securitysoftware.cc and cyberlat.com 
respectively.
>
{snip}
> -c4p0ne