SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability


Arrow  SecurityAlert : 6891
Arrow  CVE : CVE-2009-4452
Arrow  CWE : CWE-264
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : No
Arrow  Local Exploit : Yes
Arrow  Victim interaction required : No
Arrow  Exploit Available : No
Arrow  Credit : Maxim A. Kulakov (ShineShadow)
Arrow  Published : 30.12.2009

Arrow  Affected Software : kaspersky_lab:kaspersky_anti-virus_personal:5.0
kaspersky_lab:kaspersky_anti-virus_personal:5.0.227
kaspersky_lab:kaspersky_anti-virus_personal:5.0.228
kaspersky_lab:kaspersky_anti-virus_personal:5.0.325
kaspersky_lab:kaspersky_anti-virus_2010:9.0.0.463
kaspersky_lab:kaspersky_anti-virus:5.0.712::windows_workstations
kaspersky_lab:kaspersky_anti-virus:6.0.3.837::windows_workstation
kaspersky_lab:kaspersky_anti-virus:6.0.3.837::windows_file_servers
kaspersky_lab:kaspersky_anti-virus:7.0.1.325
kaspersky_lab:kaspersky_anti-virus_2009:8.0.0.454
kaspersky_lab:kaspersky_internet_security:7.0.1.325
kaspersky_lab:kaspersky_internet_security_2009:8.0.0.506
kaspersky_lab:kaspersky_internet_security_2010:9.0.0.463



Arrow  Advisory Content :  

ShineShadow Security Report 16122009-15

TITLE

Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability

BACKGROUND

Due to its high level of professionalism and dedication, Kaspersky Lab has
become a market leader in the development of antivirus protection. The
company?s main product, Kaspersky Anti-Virus, regularly receives top awards
in tests conducted by respected international research centers and IT
publications. Kaspersky Lab was the first to develop many technological
standards in the antivirus industry, including full-scale solutions for
Linux, Unix and NetWare, a new-generation heuristic analyzer designed to
detect newly emerging viruses, effective protection against polymorphic and
macro viruses, continuously updated antivirus databases and a technique for
detecting viruses in archived files.

Source: http://www.kaspersky.com

VULNERABLE PRODUCTS

Kaspersky Anti-Virus 5.0 for Windows Workstations (5.0.712)

Kaspersky Antivirus Personal 5.0.x

Kaspersky Anti-Virus 6.0 for Windows Workstations (6.0.3.837)

Kaspersky Anti-Virus 6.0 for Windows File Servers (6.0.3.837)

Kaspersky Anti-Virus 7 (7.0.1.325)

Kaspersky Anti-Virus 2009 (8.0.0.x)

Kaspersky Anti-Virus 2010 (9.0.0.463)

Kaspersky Internet Security 7 (7.0.1.325)

Kaspersky Internet Security 2009 (8.0.0.x)

Kaspersky Internet Security 2010 (9.0.0.463)

Prior versions may also be affected.

DETAILS

Insecure permissions have been detected in the multiple Kaspersky Lab
antivirus products. ?Everyone" group has ?Full Control? rights to the BASES
folder. The folder consists of antivirus bases, configuration files and
executable modules. Local attacker (unprivileged user) can replace some
files (for example, executable modules) by malicious file and execute
arbitrary code with SYSTEM privileges. This is local privilege escalation
vulnerability.

For example, in Kaspersky Anti-Virus 2010 (9.0.0.463) the following attack
scenario could be used:

1. An attacker (unprivileged user) replaces one of the *.kdl files by
malicious dynamic link library (DLL). The replacing file could be -
%ALLUSERSPROFILE%\Application Data\Kaspersky Lab\AVP9\Bases\vulns.kdl.

2. Restart the system.

After restart attackers malicious DLL will be loaded with SYSTEM
privileges.

Self-defense of  the Kaspersky Anti-Virus will prevent all operations with
own files. It can be bypassed using internal shell dialogs in Kaspersky
Anti-Virus (for example, "Open" dialog in Quarantine).

For other vulnerable Kaspersky Lab products similar attack scenario could
be used.

EXPLOITATION

An attacker must have valid logon credentials to a system where vulnerable
software is installed.

WORKAROUND

Kaspersky Lab has addressed this vulnerability by releasing fixed versions
of the vulnerable products:

Kaspersky Anti-Virus 2010 (9.0.0.736)

Kaspersky Internet Security 2010 (9.0.0.736)

Kaspersky Anti-Virus 6.0 for Windows Workstations (6.0.4.1212)

Kaspersky Anti-Virus 6.0 for Windows File Servers (6.0.4.1212)

DISCLOSURE TIMELINE

16/07/2009 Initial vendor notification. Secure contacts requested.

16/07/2009 Vendor response

16/07/2009 Vulnerability details sent

21/07/2009 Vendor accepted vulnerability for analysis

0708/2009 Vendor confirmed vulnerability in personal and corporate product
lines and notified that the vulnerability will be fixed in new versions of
vulnerable products

23/09/2009 Update status query sent

17/09/2009 Vendor response that the vulnerability will be fixed in October
but in the last product lines only (personal 2010 CF2 and corporate MP4).
Fixing the vulnerability in prior product lines is not planned.

01/10/2009 Corporate product line has been updated (Kaspersky Anti-Virus
for Windows Workstations 6.0.4.1212 released)

22/10/2009 Kaspersky Anti-Virus 2010 and Kaspersky Internet Security 2010
Critical Fix 2 released

16/12/2009 Advisory released

CREDITS

Maxim A. Kulakov (ShineShadow)

ss_contacts[at]hotmail.com



Arrow  References :

http://www.vupen.com/english/advisories/2009/3573
http://www.securitytracker.com/id?1023367
http://www.securitytracker.com/id?1023366
http://www.securityfocus.com/archive/1/archive/1/508508/100/0/threaded
http://www.exploit-db.com/exploits/10484
http://secunia.com/advisories/37730
http://secunia.com/advisories/37398




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.