ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [Reversemode Advisory] Kaspersky Anti-Virus Privilege Escalation



á ×ÏÔ É ÜËÓÐÌÏÊÔÙ ÄÌÑ ÐÏÓÌÅÄÎÅÊ ÕÑÚ×ÉÍÏÓÔÉ × Kaspersky


> -----Original Message-----
> From: Reversemode [mailto:advisories@xxxxxxxxxxxxxxx] 
> Sent: Friday, October 20, 2006 4:25 AM
> To: Securityfocus
> Subject: [Reversemode Advisory] Kaspersky Anti-Virus 
> Privilege Escalation
> 
> 
> Hi,
> 
> Kaspersky Products are prone to a local privilege escalation.
> Unprivileged users can exploit this flaw in order to execute arbitrary
> code with Kernel privileges.
> 
> Kaspersky implements its NDIS-TDI Hooking Engine using two drivers,
> which rely on an internal system of plugins. Plugin registering is
> performed using a privileged IOCTL. The security descriptor for both
> Devices is insecure so any user can take advantage of this 
> ?hidden? feature.
> -------------------------------------------
> .text:0001175F cmp eax, 80052110h ; IOCTL
> .text:00011764 jz loc_117F8
> .text:000117F8 mov esi, [ebp+arg_4]
> .text:000117FB cmp esi, ebx
> .text:000117FD jz loc_119B0
> .text:00011803 cmp [ebp+arg_8], 8 ; InputBufferSize >= 8?
> .text:00011807 jb loc_119B0
> .text:00015331 mov eax, [ebp+arg_0] ; eax == InputBuffer[0] == User
> controlled Address
> .text:00015334 push ecx
> .text:00015335 push edi
> .text:00015336 mov [esi+1ACh], eax
> .text:0001533C call eax ; ; Ring0ShellCode()
> -------------------------------------------
> 
> Advisory and two exploits are available at www.reversemode.com
> 
> Regards,
> Rub?n Santamarta
> 



 




Copyright © Lexa Software, 1996-2009.