exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Kaspersky Klim5.sys Advisory

Kaspersky Klim5.sys Advisory
Posted Feb 2, 2009
Authored by Ruben Santamarta | Site wintercore.com

KIS 2008 and Kaspersky AntiVirus for Workstations suffer from a local privilege escalation vulnerability in Klim5.sys.

tags | advisory, local
SHA-256 | 986d0ad816e789cda1a3b6e60acf76a92dd2c3e35c8b13cf6af11184f8f77d00

Kaspersky Klim5.sys Advisory

Change Mirror Download
[ HTML VERSION ] http://www.wintercore.com/advisories/advisory_W020209.html

[ exploit code ]


Non-technical description

Technical Description

Exploiting it


Products Affected


Disclosure Timeline


1. Background

Founded in 1997, Kaspersky Lab is an international information security
software vendor. Kaspersky Lab is headquartered in Moscow, Russia and
has regional offices in the UK, France, Germany, the Netherlands,
Poland, Japan, China, Korea, Romania and the United States. Further
expanding the company's reach is its large partner network comprising
over 500 companies globally.

2. Non-technical description

Klim5.sys is prone to a local privilege escalation due to invalid
user-supplied buffer checking.

A local attacker can take advantage of this vulnerability to elevate
privileges from Guest account to SYSTEM.

3. Technical Description.

This driver is in charge of intercepting when a packet arrives or is
sent. (Un)fortunately a simple user-mode program can modify some
callbacks in klim5.sys to point to a user-mode controlled address, just
by sending a specially crafted IOCTL request.So... we face a local
privilege escalation.Again.

.text:00011774 cmp ecx, 80052110h ; IOCTL
.text:0001177A jnz short loc_117E9
.text:0001177C cmp ebp, 10h
.text:0001177F jnb short loc_1178E ; FLAW
.text:00011781 push 10h
.text:00011783 mov [esp+14h+Irp], 0C0000023h
.text:0001178B pop ebx
.text:0001178C jmp short loc_117E9
.text:0001178E ;
.text:0001178E loc_1178E: ; CODE XREF: sub_11730+4Fj
.text:0001178E push offset SpinLock ; SpinLock
.text:00011793 push offset dword_140A8 ; int
.text:00011798 push edi ; int
.text:00011799 call sub_11604 ; Flaw
.text:0001179E add edi, 8
.text:000117A1 push offset dword_140B8 ; SpinLock
.text:000117A6 or eax, 0FFFFFFFFh
.text:000117A9 sub eax, [edi]
.text:000117AB push offset dword_140B0 ; int
.text:000117B0 push edi ; int
.text:000117B1 mov [edi], eax
.text:000117B3 call sub_11604

and finally

.text:000115CB push [ebp+arg_0]
.text:000115CE call dword ptr [edi+8] ; Controlled

4. Exploiting it.

What it is interesting in this flaw is the way of exploiting it. NDIS
calls are "context-free" by definition, so when a packet arrives or is
sent, the NDIS call can be invoked in an arbitrary thread context.
Therefore, the callback we are modifying could be invoked in any other
thread than ours. There is an intrinsic race condition in the exploit.

Let's imagine a scenario where the exploit modifies the callback to
point to the address of its shellcode at 0x401000. However,before the
callback reachs our code in the exploit's context, another thread
triggers the callback and therefore, that address can contain anything,
note that also the memory referenced must be paged in since the callback
is dispatched at DISPATCH_LEVEL. To solve this scenario we must follow
the steps below:

+ Boost the priority of our exploit process/thread

+ Search common bytes in ring3 which are being shared by all the
processes,the modify them(in the exploit's context) to point to our
shellcode whilst in other processes that same address should point to a
"ret 4" instruction. (NtDeleteKey+n).

+ The shellcode must modify the callbacks to point to a "ret 4" address
that can be accessed in Ring0(ExGetSharedWaitersCount+n). While running
the exploit


5. References


6. Products Affected

Kaspersky AV 2008

Kaspersky AV for WorkStations 6.0

7. Credits

Vulnerability discovered and researched by Ruben Santamarta, Wintercore.


C/ Isla de Salvora, 180.
28400 Collado Villalba.
Phone: +(34) 91 849 98 89
Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    47 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By