Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Kaspersky AntiVirus Window Caption GUI Bypass Vulnerability

Re: Kaspersky AntiVirus Window Caption GUI Bypass Vulnerability

From: Tony Montana <c4p0ne_at_hush.com>
Date: 1 Oct 2004 11:56:00 -0000
('binary' encoding is not supported, stored as-is) In-Reply-To: <20040930161008.28872.qmail_at_www.securityfocus.com>

Hello, this is a response by myself in an attempt to address a flurry of emails regarding some unanswered questions about this latest exploit in Kaspersky Anti-Virus Version 5.0x line. I will attempt to answer all the questions I have received via email in this thread. I will try the best I can as I have gotten very small amounts of sleep during the past few days. First I must apologize as I neglected to supply a few important (yet standard) pieces of information that should be part of any well formatted vulnerability report and they are as follows:


Software:
Kaspersky Anti-Virus Personal

Web Site:
http://www.kaspersky.com

Affected Version(s):
v5.0.149, v5.0.153 (possibly older as well)

Operating System(s)
Microsoft Windows XP Pro w/SP2

To answer some of the questions I've received:

1. I was running all programs tested under Admin privileges including Enabler, and RAMCleaner. I have not yet tested with limited privs, however, due to
the nature of this weakness I suspect that even a user with the lowest privileges would be able to leverage this attack. I could be wrong so if anyone can verify this before I do myself, please feel free to do so.

2. The underlying machine where the exploit was successfully leverages was running Microsoft Windows XP with the Final Build of Service Pack 2 (integrated "fresh" installation). I have not tested on either 98/SE/ME or the server version of KAV which runs on Windows Server 2003. Again however due to the simple nature of the exploit I believe it can be exploited just as easily on those platforms as well. Again, I have not tested.

3. The functionality I am referring to that can be "bypassed" is KAV's unique ability (unlike MOST Home AV software) to have it's interface password-protected. When a user clicks on the "K" icon in the task-tray
in the lower right-hand corner, a password dialog stating "Enter your password" is displayed. A user who does not know the password to access the Kaspersky GUI interface (kav.exe) cannot access or "see" current settings, cannot modify current settings in any way, and cannot disable or exit the software. The ONLY rights a user who does not know the password is
to view the programs version information, and update the anti-virus signatures.

HOWEVER, it is possible to completely bypass the "Enter your password" dialog box by running one of the mentioned utilities (there are MANY more) and accessing the GUI interface caption directly. This is a BIG no-no. This is especially upsetting to myself knowing fullwell that you will be hard-pressed to find a better AV software solution then KAV which is by all other means, the BEST performing software available on the market detection/stability wise. The kavsvc.exe service simply cannot be killed without bringing down the entire machine EVEN UNDER ADMIN PRIVS. But it just goes to show that a chain really IS ONLY as strong as it's
weakest link:

kavsvc.exe(Service) = Superbly coded/Unbreakable kav.exe(GUI) = A simple mistake that makes you rub your eyes in disbelief because the software is generally
so superior in every other sense.

4. The Enabler method is even more simple then the RAMCleaner method with the additional "bad-guy bonus" of being able to automatically recover the password
stored behind the asterisks once the KAV GUI has been activated. Simply run "enabler.exe" and in the "Object Name (Object Type)" window, find the caption that reads "Kaspersky Anti-Virus Personal (#32770)", right-click and select "show" from the submenu. Once the KAV interface pops up (again, completely bypassing the
password request dialog) go to the settings tab and select the "Additional Settings" option. There you will be presented with the password hidden behind the classic black-dots. Now go back to Enabler, and click the "Start" under the "Roaming password finder" option. When you switch windows back to the KAV GUI, you have the password available in clear-text. This is ESPECIALLY dangerous because if the network has
many cloned installations with KAV then the malicious user no longer requires the use of these utilities as they can freely disable the protection on all of the systems since s/he now knows the administrative password!

If anyone manages to check-out untested areas we have or haven't discussed here please do not hesitate to post your results! It would be much appreciated to help
put a little fire under these guys butts to hurry up and get this "so silly, yet SO dangerous" vulnerability fixed up!
Received on Oct 01 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos