home

forums
    Show me new threads!

bookmarks

post article

view blogs

vault

downloads

Rootkit Collection

Exploiting Kaspersky Antivirus 6.0-7.0 : message board

post a message Show all posts in this forum view options: unpacked threads | collapsed threads | old style view

how many threads to display: 15305075100300800 search board (text+titles):

---

Library (by z01b (Normal user) Jul 09 2007, 08:29 (UTC+0) ) Tell me plz, what library should i use in Delphi, in order to compile that? reply to this message

---

Lame! (by assarbad (Normal user) Jun 30 2007, 20:24 (UTC+0) ) ... not by the other one who found it, but by Kaspersky. Let's go back some months: http://blog.assarbad.net/20070630/what-the-heck-kaspersky/ Sad reply to this message

---

Not just a benign exploit (by c4p0ne (Normal user) Jun 13 2007, 19:21 (UTC+0) ) This is a not just another "non-threatening" exploit. This is dead serious. One could send the machine into and endless BSOD loop if invalid calls were to be sent immediately on system startup before or during desktop loading. Kaspersky is indeed the #1 AV software but this is just like them to ignore vulnerability reports. They ignored me for months back in v5.x with the Window caption GUI bypass exploit until v6.x was released when they finally hooked the right stuff to prevent the vulnerability from being exploited. reply to this message      Re: Not just a benign exploit (by assarbad (Normal user) Jun 30 2007, 21:25 (UTC+0) ) Hmmm, maybe their chance to improve on it then? The vuln. published by EP_X0FF exists in all products at least since October 2005. I believe it existed earlier as well, because the system on which it was found did not have the most recent version back then, AFAIR. reply to this message      Re: Not just a benign exploit (by EP_X0FF (Normal user) Jun 14 2007, 06:32 (UTC+0) ) They promised to fix this in the next update. Actually, they didn't know about another vulnerabilities in their "proactive defense". reply to this message

---

MmIsAddressValid (by deroko (Normal user) Jun 11 2007, 13:25 (UTC+0) ) MmIsAddressValid is not good solution either, it only checks if page is present in physical memory by examing PDE and PTE. If memory is pagedout then it will return false, but fault handler will bring back page from disk into memory when access occurs, or will throw exception if there is no such page. reply to this message      Re: MmIsAddressValid (by EP_X0FF (Normal user) Jun 12 2007, 02:44 (UTC+0) ) Kaspersky fixed bug and promise to release patch, we will see what it will implement. reply to this message

---

NtCall Program? (by g4m3cub3 (Normal user) Jun 09 2007, 11:32 (UTC+0) ) What NtCall program? All I see is code snippets. reply to this message      Re: NtCall Program? (by EP_X0FF (Normal user) Jun 09 2007, 12:48 (UTC+0) ) Enjoy http://gl00my.chat.ru/downloads.html reply to this message

---

ZA7.0 (by rossettoecioccolato (Normal user) Jun 06 2007, 13:21 (UTC+0) ) I see Zone Alarm 7.0 has a klif.sys. I wonder if it is the same driver/has the same defects? reply to this message      Re: ZA7.0 (by EP_X0FF (Normal user) Jun 06 2007, 23:06 (UTC+0) ) It is very easy to test. Very high probability that this is true. Use NtCall program. reply to this message

---

List of Kaspersky EXPLOITABLE functions (by EP_X0FF (Normal user) Jun 04 2007, 02:23 (UTC+0) ) List of exploitable SSDT entries (Windows XP / KAV 7.0.0.55) ================================== |[Idx] [function name] | ================================== |[41 ] NtCreateKey |[47 ] NtCreateProcess |[48 ] NtCreateProcessEx |[50 ] NtCreateSection |[52 ] NtCreateSymbolicLinkObject |[53 ] NtCreateThread |[65 ] NtDeleteValueKey |[99 ] NtLoadKey2 |[119] NtOpenKey |[122] NtOpenProcess |[125] NtOpenSection |[177] NtQueryValueKey ================================== Calls to these functions with wrong parameters will lead to immediately BSOD. Kind Regards, EP_X0FF/UG North reply to this message      Re: List of Kaspersky EXPLOITABLE functions (by BlueGene (Normal user) Jun 04 2007, 10:51 (UTC+0) ) nice find :) too bad you can't really exploit this exploit. *g* I mean, it would be unbelievable if you could actually inject code into Kernel-Mode from Ring3 with limited rights. reply to this message      Re: List of Kaspersky EXPLOITABLE functions (by orkblutt (Normal user) Jun 05 2007, 05:13 (UTC+0) ) I believe it's why Kaspersky doesn't care about them... many dumb things can crash a program or BSOD. no need Kaspersky... I was prefering this vulnerability: http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=35 but Kaspersky patched it... reply to this message      Re: List of Kaspersky EXPLOITABLE functions (by EP_X0FF (Normal user) Jun 05 2007, 02:34 (UTC+0) ) Yep too bad, this is dos type exploit ;) reply to this message      Re: List of Kaspersky EXPLOITABLE functions (by EP_X0FF (Normal user) Jun 04 2007, 02:25 (UTC+0) ) Damn that forum software =) reply to this message

---

Nice, but not the first to discover Kaspersky's incompetence. (by Skywing (Untrusted stranger) Jun 03 2007, 17:51 (UTC+0) ) Actually, I wrote up a paper about this (and many other problems with Kaspersky) over a year ago at Uninformed : http://uninformed.org/index.cgi?v=4&a=4&p=4 . The paper covers the broken NtOpenProcess hook, as well as a number of other completely broken by design things that KAV does. It is unfortunate that Kaspersky continues to put its customers at risk with completely bogus kernel mode code. BTW, MmIsAddressValid is *not* a viable solution, as the page could become invalidated after the test is performed, but before the access actually occurs. Out of curiousity, did you come to your conclusion independently or had you read the Uninformed article beforehand? reply to this message      Re: Nice, but not the first to discover Kaspersky's incompetence. (by EP_X0FF (Normal user) Jun 03 2007, 22:37 (UTC+0) ) We do not read Uninformed. This exploit based on Ms-Rem NtOpenProcess exploit that was published in 2005 and applies to KAV 5 What about origin of this exploit it was firstly presented on SysInternals Forums - > Malware - > Rootkits, Detectors, Bypassing / Overview thread one year ago. reply to this message      Re: Nice, but not the first to discover Kaspersky's incompetence. (by bugcheck (Project Leader) Jun 04 2007, 00:58 (UTC+0) ) if you can, please edit your post with a < cont > tag which will allow the post to be condensed. Moderators should have picked up on that but of course they are only human =) reply to this message      Re: Nice, but not the first to discover Kaspersky's incompetence. (by EP_X0FF (Normal user) Jun 04 2007, 02:23 (UTC+0) ) Forgive my incompetence, but how can I do that? =) reply to this message      Re: Nice, but not the first to discover Kaspersky's incompetence. (by bugcheck (Project Leader) Jun 04 2007, 03:10 (UTC+0) ) no problem if you cant edit your post. Just consider it for future posts =) Otherwise afaik, most html tags should work, < cont > however is a special one that doesnt have a < /cont > ending. This will chop off the rest of the article on the main page and insert the "click here to continue reading the article..." link. By the way, thanks for sharing your info wether it was already long known before or not. reply to this message

---

interesting (by mxatone (Normal user) Jun 03 2007, 15:01 (UTC+0) ) Hi, I'm okay about the fact that antivirus should check arguments like Windows Kernel does. It can lead on unknown behavior and worst local privilege escalation, kernel shellcode etc ... I hope your post will make things move. but ... I think the title is wrong "Exploiting" should not be use for crash. Its my point of view. mx- reply to this message      Re: interesting (by EP_X0FF (Normal user) Jun 03 2007, 23:49 (UTC+0) ) >>but ... I think the title is wrong "Exploiting" should not >>be use for crash. You think wrong. Terminology of this word: In computer security, an exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack. In this case its Denial of Service attack type exploit. reply to this message      Re: interesting (by mxatone (Normal user) Jun 04 2007, 05:06 (UTC+0) ) It is not only about an exact terminology. It is a question of logic. There's no gain, no interest to crash a local machine, you will not get more privilege etc ... I'm okai that you find the right title, it catch every one attention ... reply to this message      Re: interesting (by alex2308 (Normal user) Jun 05 2007, 06:08 (UTC+0) ) EP_0XFF is absolutelly right. a DoS attack is a thread to the availability, which is a major problem. image someone crashing amazon/ebay/wallstreet servers... reply to this message      Re: interesting (by mxatone (Normal user) Jun 08 2007, 06:23 (UTC+0) ) Its a local DoS which means you need an account directly on the machine and the ability to launch a program. And you don't need a Wrong argument parsing in KaV to crash Windows from a local account. reply to this message      Re: interesting (by flower_life (Normal user) Jun 05 2007, 17:53 (UTC+0) ) By the way, thanks for sharing your info wether it was already long known before or not. and DoS attack ? c u tell us how ? kik , sonia reply to this message      Re: interesting (by EP_X0FF (Normal user) Jun 10 2007, 23:33 (UTC+0) ) To you flower_life I will not say anything else except the listed by you words =) Bye, and welcome to blacklist my dear unsexy baby. reply to this message      Re: interesting (by EP_X0FF (Normal user) Jun 04 2007, 06:31 (UTC+0) ) I must 2 disappoint you. >>There's no gain, no interest to crash a local machine, you will not get more privilege etc ... Will be, will be and there are many who will use it. I do not want or ask for any kind attention. reply to this message