[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] arbitrary file capture in Kaspersky Total Security 2019

+++++++++++++[ Author ]++++++++++++++++++++++++++++++++++++++++++

* /b4s - but this is not important, I am only single a newbie
trying seek after knowledge[1], trying see view the AV on a
deeper level[2], trying harder.

+++++++++++++[ Overview ]++++++++++++++++++++++++++++++++++++++++

A bug in Kaspersky Total Security 2019 ( that allows
copying SAM and SYSTEM files on Windows (and files that belong to
others users), making it possible to recover all hashes of the
local users (and files from other users).

+++++++++++++[ Impact ]++++++++++++++++++++++++++++++++++++++++++

Getting (Copying) files that not belong to you and not have
privilege to copy.

+++++++++++++[ Detailed description ]++++++++++++++++++++++++++++

Logged in as an unprivileged user, follow the step-by-step:

1. Access the feature *Backup and Restore*;

2. Backup the folder C:\Windows\System32\config (OR the folder of
other user, sample: If you is abc and your folder is C:\users\abc,
create the backup routine to folder C:\users\cde --- CDE is single
owner e controllert this folder)

3. As this feature runs as SYSTEM, it allows backing up these files;

4. Notice that the backup was concluded successfully;

5. Restore specifically the SAM and SYSTEM files from the previously
created backup;

6. Select a USB Drive as the location for the aforementioned files
to be restored;

7. Notice that the restore process was concluded successfully;

8. Notice that even though the restored files have a strong ACL, it
is possible to access them through a LINUX System (which ignores
these ACLs) and crack the hashes AND that the unprivileged user was
able to copy the protected SAM and SYSTEM files (or the folder of
other user) using the backup and restore functionalities of
Kaspersky Total Security 2019 ( and crack the included
hashes within them (or read files of other user).

+++++++++++++[ Regards ]+++++++++++++++++++++++++++++++++++++++++++

* X@n@
* Gr3g0
* P$h3lz1n

+++++++++++++[ Reference ]+++++++++++++++++++++++++++++++++++++++++

[1] The Conscience of a Hacker(+++The Mentor+++, 1986)
[2] KORET and BACHAALANY, 2015

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/