利用KES安装包执行任意指令（以及卡巴自己的漏洞报告 2022-11-01

显示全部楼层 · 发表于 2022-11-3 10:12:52

卡巴自己的文：https://support.kaspersky.com/ge ... spx?el=12430#011122

发现者的文：https://nasbench.medium.com/lolb ... mmands-1c999f1b7fea

We can use the signed binaries extracted from “kavremover.exe” or “cleanapi.dll” to execute arbitrary commands.
ExtractedBinary.exe run run-cmd [Command]
We can execute arbitrary commands from the context of the KES installer using the registry (or any installation method described in the INI files in theory) as described above.
You can “remove”/“detect” more than “2400” security products using Kaspersky Endpoint Security “KES” installer.
We can call arbitrary DLLs using the “cleanapi.exe” binary using the following command.
cleanapi.exe -n [MaliciousDLL]

卡巴已经修复这三个漏洞，虽然好像没给未受影响版本列表。根据跳转的KES链接来看，应该是11.8以上。

显示全部楼层 · 发表于 2022-11-4 01:03:51

显示全部楼层 · 发表于 2022-11-5 12:15:41

看了一眼报告，远控狂喜

[分析报告] 利用KES安装包执行任意指令（以及卡巴自己的漏洞报告 2022-11-01