注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

85167118的博客

西安艺语网络传媒印务有限公司

 
 
 

日志

 
 

[精典教程]卡巴斯基多产品本地权限提升漏洞   

2009-12-22 17:16:38|  分类: 黑客知识 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

测试方法:

Due to its high level of professionalism and dedication, Kaspersky Lab has become a \
market leader in the development of antivirus protection. The company’s main product, \
Kaspersky Anti-Virus, regularly receives top awards in tests conducted by respected \
international research centers and IT publications. Kaspersky Lab was the first to \
develop many technological standards in the antivirus industry, including full-scale \
solutions for Linux, Unix and NetWare, a new-generation heuristic analyzer designed \
to detect newly emerging viruses, effective protection against polymorphic and macro \
viruses, continuously updated antivirus databases and a technique for detecting \
viruses in archived files.

Source: http://www.kaspersky.com

VULNERABLE PRODUCTS

Kaspersky Anti-Virus 5.0 for Windows Workstations (5.0.712)
Kaspersky Antivirus Personal 5.0.x
Kaspersky Anti-Virus 6.0 for Windows Workstations (6.0.3.837)
Kaspersky Anti-Virus 6.0 for Windows File Servers (6.0.3.837)
Kaspersky Anti-Virus 7 (7.0.1.325)
Kaspersky Anti-Virus 2009 (8.0.0.x)
Kaspersky Anti-Virus 2010 (9.0.0.463)
Kaspersky Internet Security 7 (7.0.1.325)
Kaspersky Internet Security 2009 (8.0.0.x)
Kaspersky Internet Security 2010 (9.0.0.463)

Prior versions may also be affected.

DETAILS

Insecure permissions have been detected in the multiple Kaspersky Lab antivirus \
products. “Everyone" group has “Full Control” rights to the BASES folder. The folder \
consists of antivirus bases, configuration files and executable modules. Local \
attacker (unprivileged user) can replace some files (for example, executable modules) \
by malicious file and execute arbitrary code with SYSTEM privileges. This is local \
privilege escalation vulnerability.

For example, in Kaspersky Anti-Virus 2010 (9.0.0.463) the following attack scenario \
could be used: 1. An attacker (unprivileged user) replaces one of the *.kdl files by \
malicious dynamic link library (DLL). The replacing file could be - \
%ALLUSERSPROFILE%\Application Data\Kaspersky Lab\AVP9\Bases\vulns.kdl. 2. Restart the \
system. After restart attackers malicious DLL will be loaded with SYSTEM privileges.

Self-defense of  the Kaspersky Anti-Virus will prevent all operations with own files. \
It can be bypassed using internal shell dialogs in Kaspersky Anti-Virus (for \
example, "Open" dialog in Quarantine).

For other vulnerable Kaspersky Lab products similar attack scenario could be used.

EXPLOITATION

An attacker must have valid logon credentials to a system where vulnerable software \
is installed.

WORKAROUND

Kaspersky Lab has addressed this vulnerability by releasing fixed versions of the \
vulnerable products: Kaspersky Anti-Virus 2010 (9.0.0.736)
Kaspersky Internet Security 2010 (9.0.0.736)
Kaspersky Anti-Virus 6.0 for Windows Workstations (6.0.4.1212)
Kaspersky Anti-Virus 6.0 for Windows File Servers (6.0.4.1212)

DISCLOSURE TIMELINE

16/07/2009 Initial vendor notification. Secure contacts requested.
16/07/2009 Vendor response
16/07/2009 Vulnerability details sent
21/07/2009 Vendor accepted vulnerability for analysis
0708/2009 Vendor confirmed vulnerability in personal and corporate product lines and \
notified that the vulnerability will be fixed in new versions of vulnerable products  \
23/09/2009 Update status query sent 17/09/2009 Vendor response that the vulnerability \
will be fixed in October but in the last product lines only (personal 2010 CF2 and \
corporate MP4). Fixing the vulnerability in prior product lines is not planned. \
01/10/2009 Corporate product line has been updated (Kaspersky Anti-Virus for Windows \
Workstations 6.0.4.1212 released) 22/10/2009 Kaspersky Anti-Virus 2010 and Kaspersky \
Internet Security 2010 Critical Fix 2 released 16/12/2009 Advisory released

CREDITS


Maxim A. Kulakov (ShineShadow)
ss_contacts[at]hotmail.com

 

  评论这张
 
阅读(57)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017