SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   Kaspersky Anti-Virus Vendors:   Kaspersky Lab
Kaspersky Anti-Virus Buffer Overflow in 'Klim5.sys' Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1021661
SecurityTracker URL:  http://securitytracker.com/id/1021661
CVE Reference:   CVE-2009-0449   (Links to External Site)
Updated:  Feb 11 2009
Original Entry Date:  Feb 3 2009
Impact:   Root access via local system
Exploit Included:  Yes  
Version(s): 2008
Description:   A vulnerability was reported in Kaspersky Anti-Virus. A local user can obtain elevated privileges on the target system.

A local user can trigger a buffer overflow in 'Klim5.sys' to execute arbitrary code on the target system with System privileges.

Kaspersky Anti-Virus for Windows Workstations version 6.0 is also affected.

Some demonstration exploit code is available at:

http://kartoffel.reversemode.com/downloads.php

The original advisory is available at:

http://www.wintercore.com/advisories/advisory_W020209.html

Ruben Santamarta of Wintercore reported this vulnerability.

Impact:   A local user can obtain System privileges on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.kaspersky.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Mon, 02 Feb 2009 17:47:20 +0100
Subject:  [Wintercore Research WS02-0209] Kaspersky Products Klim5.sys local

[ HTML VERSION ] http://www.wintercore.com/advisories/advisory_W020209.html

[ exploit code ]
http://kartoffel.reversemode.com/downloads.php



Background

Non-technical description

Technical Description

Exploiting it

References

Products Affected

Credits

Disclosure Timeline

Contact





1. Background

Founded in 1997, Kaspersky Lab is an international information security
software vendor. Kaspersky Lab is headquartered in Moscow, Russia and
has regional offices in the UK, France, Germany, the Netherlands,
Poland, Japan, China, Korea, Romania and the United States. Further
expanding the company's reach is its large partner network comprising
over 500 companies globally.

2. Non-technical description

Klim5.sys is prone to a local privilege escalation due to invalid
user-supplied buffer checking.

A local attacker can take advantage of this vulnerability to elevate
privileges from Guest account to SYSTEM.

3.  Technical Description.

This driver is in charge of intercepting when a packet arrives or is
sent. (Un)fortunately a simple user-mode program can modify some
callbacks in klim5.sys to point to a user-mode controlled address, just
by sending a specially crafted IOCTL request.So... we face a local
privilege escalation.Again.

.text:00011774 cmp ecx, 80052110h ; IOCTL
.text:0001177A jnz short loc_117E9
.text:0001177C cmp ebp, 10h
.text:0001177F jnb short loc_1178E ; FLAW
.text:00011781 push 10h
.text:00011783 mov [esp+14h+Irp], 0C0000023h
.text:0001178B pop ebx
.text:0001178C jmp short loc_117E9
.text:0001178E ;
---------------------------------------------------------------------------
.text:0001178E
.text:0001178E loc_1178E: ; CODE XREF: sub_11730+4Fj
.text:0001178E push offset SpinLock ; SpinLock
.text:00011793 push offset dword_140A8 ; int
.text:00011798 push edi ; int
.text:00011799 call sub_11604 ; Flaw
.text:0001179E add edi, 8
.text:000117A1 push offset dword_140B8 ; SpinLock
.text:000117A6 or eax, 0FFFFFFFFh
.text:000117A9 sub eax, [edi]
.text:000117AB push offset dword_140B0 ; int
.text:000117B0 push edi ; int
.text:000117B1 mov [edi], eax
.text:000117B3 call sub_11604

and finally

.text:000115CB push [ebp+arg_0]
.text:000115CE call dword ptr [edi+8] ; Controlled

4. Exploiting it.

What it is interesting in this flaw is the way of exploiting it. NDIS
calls are "context-free" by definition, so when a packet arrives or is
sent, the NDIS call can be invoked in an arbitrary thread context.
Therefore, the callback we are modifying could be invoked in any other
thread than ours. There is an intrinsic race condition in the exploit.

Let's imagine a scenario where the exploit modifies the callback to
point to the address of its shellcode at 0x401000. However,before the
callback reachs our code in the exploit's context, another thread
triggers the callback and therefore, that address can contain anything,
note that also the memory referenced must be paged in since the callback
is dispatched at DISPATCH_LEVEL. To solve this scenario we must follow
the steps below:

+ Boost the priority of our exploit process/thread

+ Search common bytes in ring3 which are being shared by all the
processes,the modify them(in the exploit's context) to point to our
shellcode whilst in other processes that same address should point to a
"ret 4" instruction. (NtDeleteKey+n).

+ The shellcode must modify the callbacks to point to a "ret 4" address
that can be accessed in Ring0(ExGetSharedWaitersCount+n). While running
the exploit


[IMAGES]



5.  References

http://www.reversemode.com/index.php?option=com_content&task=view&id=60&Itemid=1

 6.  Products Affected

Kaspersky AV 2008

Kaspersky AV for WorkStations 6.0

7.  Credits

Vulnerability discovered and researched by Ruben Santamarta, Wintercore.




-- 

Wintercore
C/ Isla de Salvora, 180.
28400 Collado Villalba.
Spain
Phone: +(34) 91 849 98 89
www.wintercore.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC