Vigil@nce: Kaspersky AV, privilege elevation
December 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can replace files of Kaspersky products, in order
to execute code with System privileges.
Severity: 2/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 17/12/2009
IMPACTED PRODUCTS
– Kaspersky Anti-Virus
DESCRIPTION OF THE VULNERABILITY
Kaspersky products install modules under the directory
%ALLUSERSPROFILE%\Application Data\Kaspersky Lab\AVP9\Bases.
The "Bases" directory is configured with "Full Control" for
"Everyone". A local attacker can therefore try to alter one of its
files. The antivirus detects this action and blocks it.
However, if the attacker uses the Open dialog in the Quarantine
interface, he can alter files located under Bases.
A local attacker can for example replace the Bases/vulns.kdl file
with a malicious DLL. Its code will run with System privileges.
CHARACTERISTICS
Identifiers: BID-37354, VIGILANCE-VUL-9299
http://vigilance.fr/vulnerability/Kaspersky-AV-privilege-elevation-9299