Kaspersky Antivirus incorrect %PROGRAMDATA% ACL

[GoogleCodeExporter]

The ACL on %PROGRAMDATA%\Kaspersky Lab allows BUILTIN\Users to create new 
files. This can be abused to create new plugins and modules during update, and 
other filesystem races to gain elevated privileges.

C:\Users\Tavis Ormandy>icacls "%PROGRAMDATA%\Kaspersky Lab"
C:\ProgramData\Kaspersky Lab NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                             BUILTIN\Administrators:(I)(OI)(CI)(F)
                             CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                             BUILTIN\Users:(I)(OI)(CI)(RX)
                             BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)

Successfully processed 1 files; Failed processing 0 files

An example attack is to find the MD5 of an upcoming update, create a DLL at 
Cache\qscan.kdl.{md5} that does something in DllMain. The next time Kaspersky 
updates, avp.exe will spawn load the file.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 17 Sep 2015 at 10:35

[GoogleCodeExporter]

Kaspersky reply:

Hi Tavis,

We confirm the issue with ACL on ProgramData\Kaspersky Lab directory and need 
time to prepare a fix. I’ll keep you updated on progress of our work

Thanks,
Igor

Original comment by tav...@google.com on 18 Sep 2015 at 5:17

[GoogleCodeExporter]

This issue was resolved on November 16th.

Original comment by tav...@google.com on 16 Nov 2015 at 7:23

• Changed state: Fixed
• Removed labels: Restrict-View-Commit