ITh4cker / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Kaspersky Antivirus incorrect %PROGRAMDATA% ACL #535

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
The ACL on %PROGRAMDATA%\Kaspersky Lab allows BUILTIN\Users to create new 
files. This can be abused to create new plugins and modules during update, and 
other filesystem races to gain elevated privileges.

C:\Users\Tavis Ormandy>icacls "%PROGRAMDATA%\Kaspersky Lab"
C:\ProgramData\Kaspersky Lab NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                             BUILTIN\Administrators:(I)(OI)(CI)(F)
                             CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                             BUILTIN\Users:(I)(OI)(CI)(RX)
                             BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)

Successfully processed 1 files; Failed processing 0 files

An example attack is to find the MD5 of an upcoming update, create a DLL at 
Cache\qscan.kdl.{md5} that does something in DllMain. The next time Kaspersky 
updates, avp.exe will spawn load the file.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 17 Sep 2015 at 10:35

GoogleCodeExporter commented 8 years ago
Kaspersky reply:

Hi Tavis,

We confirm the issue with ACL on ProgramData\Kaspersky Lab directory and need 
time to prepare a fix. I’ll keep you updated on progress of our work

Thanks,
Igor

Original comment by tav...@google.com on 18 Sep 2015 at 5:17

GoogleCodeExporter commented 8 years ago
This issue was resolved on November 16th.

Original comment by tav...@google.com on 16 Nov 2015 at 7:23