Notok
June 12th, 2005, 04:50 AM
Posted on BugTraq June 7th 2005:
-{ Quote: "Security advisory.
Kaspersky antivirus v. 5.0.227, 5.0.228, 5.0.335 under Windows2000. There is nothing found under Windows XP.
There is Windows2000 security subsystem breakout found inside Kaspersky antivirus v. 5.0.227, 5.0.228, 5.0.335. It is possible to exploit it with local privilege escalation. KAV's resident defence subsystem directly calls functions inside the klif.sys driver from the user level. Page access violation is avoided by clearing of the Supervisor bit of the driver's pages. It makes possible to execute code from the user level inside the driver. Function's entry point is called when dll's loads inside created process or inside the old one.
<snip>
Test exploit is available here: http://www.softsphere.com/security/KAV_exploit.zip" }- Full advisory here: http://www.softsphere.com/security/
Their software looks interesting, too :)
-{ Quote: "Security advisory.
Kaspersky antivirus v. 5.0.227, 5.0.228, 5.0.335 under Windows2000. There is nothing found under Windows XP.
There is Windows2000 security subsystem breakout found inside Kaspersky antivirus v. 5.0.227, 5.0.228, 5.0.335. It is possible to exploit it with local privilege escalation. KAV's resident defence subsystem directly calls functions inside the klif.sys driver from the user level. Page access violation is avoided by clearing of the Supervisor bit of the driver's pages. It makes possible to execute code from the user level inside the driver. Function's entry point is called when dll's loads inside created process or inside the old one.
<snip>
Test exploit is available here: http://www.softsphere.com/security/KAV_exploit.zip" }- Full advisory here: http://www.softsphere.com/security/
Their software looks interesting, too :)