Kaspersky Anti-Virus Unsafe Access Control Configuration for BASES Folder Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1023366|
SecurityTracker URL: http://securitytracker.com/id/1023366
(Links to External Site)
Updated: Dec 29 2009|
Original Entry Date: Dec 17 2009
Execution of arbitrary code via local system, Root access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 5.0.712 and 22.214.171.1247 for Windows Workstations, Personal 5.0.x, 126.96.36.1997 for Windows File Servers, 188.8.131.525, 2009 (8.0.0.x), 2010 (184.108.40.2063); and prior versions|
A vulnerability was reported in Kaspersky Anti-Virus. A local user can obtain elevated privileges on the target system.|
The BASES folder is configured to allow 'Full Control' privileges to the 'Everyone' group. A local user can modify some files in that directory to execute arbitrary commands on the target system with System privileges.
The vendor was notified on July 16, 2009.
Maxim A. Kulakov (ShineShadow) reported this vulnerability.
A local user can obtain System privileges on the target system.|
The vendor has issued a fix (2010 (220.127.116.116), 6.0 for Windows Workstations (18.104.22.1682), 6.0 for Windows File Servers (22.214.171.1242), 2010 Critical Fix 2).|
Vendor URL: www.kaspersky.com/ (Links to External Site)
Access control error, Configuration error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability|
ShineShadow Security Report 16122009-15
Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
Kaspersky Anti-Virus 5.0 for Windows Workstations (5.0.712)
Kaspersky Antivirus Personal 5.0.x
Kaspersky Anti-Virus 6.0 for Windows Workstations (126.96.36.1997)
Kaspersky Anti-Virus 6.0 for Windows File Servers (188.8.131.527)
Kaspersky Anti-Virus 7 (184.108.40.2065)
Kaspersky Anti-Virus 2009 (8.0.0.x)
Kaspersky Anti-Virus 2010 (220.127.116.113)
Kaspersky Internet Security 7 (18.104.22.1685)
Kaspersky Internet Security 2009 (8.0.0.x)
Kaspersky Internet Security 2010 (22.214.171.1243)
Prior versions may also be affected.
For example, in Kaspersky Anti-Virus 2010 (126.96.36.1993) the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the *.kdl files by malicious dynamic link library (DLL). The replacing file could be - %ALLUSERSPROFILE%\Application Data\Kaspersky Lab\AVP9\Bases\vulns.kdl.
2. Restart the system.
After restart attackers malicious DLL will be loaded with SYSTEM privileges.
For other vulnerable Kaspersky Lab products similar attack scenario could be used.
An attacker must have valid logon credentials to a system where vulnerable software is installed.
Kaspersky Lab has addressed this vulnerability by releasing fixed versions of the vulnerable products:
Kaspersky Anti-Virus 2010 (188.8.131.526)
Kaspersky Internet Security 2010 (184.108.40.2066)
Kaspersky Anti-Virus 6.0 for Windows Workstations (220.127.116.112)
Kaspersky Anti-Virus 6.0 for Windows File Servers (18.104.22.1682)
16/07/2009 Initial vendor notification. Secure contacts requested.
16/07/2009 Vendor response
16/07/2009 Vulnerability details sent
21/07/2009 Vendor accepted vulnerability for analysis
0708/2009 Vendor confirmed vulnerability in personal and corporate product lines and notified that the vulnerability will be fixed in new versions of vulnerable products
23/09/2009 Update status query sent
17/09/2009 Vendor response that the vulnerability will be fixed in October but in the last product lines only (personal 2010 CF2 and corporate MP4). Fixing the vulnerability in prior product lines is not planned.
01/10/2009 Corporate product line has been updated (Kaspersky Anti-Virus for Windows Workstations 22.214.171.1242 released)
22/10/2009 Kaspersky Anti-Virus 2010 and Kaspersky Internet Security 2010 Critical Fix 2 released
16/12/2009 Advisory released
Maxim A. Kulakov (ShineShadow)