Hi, Kaspersky Products are prone to a local privilege escalation. Unprivileged users can exploit this flaw in order to execute arbitrary code with Kernel privileges. Kaspersky implements its NDIS-TDI Hooking Engine using two drivers, which rely on an internal system of plugins. Plugin registering is performed using a privileged IOCTL. The security descriptor for both Devices is insecure so any user can take advantage of this “hidden” feature. ------------------------------------------- .text:0001175F cmp eax, 80052110h ; IOCTL .text:00011764 jz loc_117F8 .text:000117F8 mov esi, [ebp+arg_4] .text:000117FB cmp esi, ebx .text:000117FD jz loc_119B0 .text:00011803 cmp [ebp+arg_8], 8 ; InputBufferSize >= 8? .text:00011807 jb loc_119B0 .text:00015331 mov eax, [ebp+arg_0] ; eax == InputBuffer[0] == User controlled Address .text:00015334 push ecx .text:00015335 push edi .text:00015336 mov [esi+1ACh], eax .text:0001533C call eax ; ; Ring0ShellCode() ------------------------------------------- Advisory and two exploits are available at www.reversemode.com Regards, Rubén Santamarta
