System rights through vulnerability in Kaspersky's antivirus solution
iDefense has reported on a hole in drivers from Kaspersky's antivirus solution. It could be used by a registered, non-privileged user to elevate access rights. The cause of the problem is the KLIN.SYS and KLICK.SYS drivers, which do not inspect the provided addresses when functions are called for I/O control. According to iDefense, attackers could manipulate those addresses, write their own code segments into memory and launch them with system rights. iDefense recently also discovered an almost identical hole in IOCTL in products from Symantec.
The flaw affects driver version 18.104.22.1681, as contained in Kaspersky Labs Anti-Virus Version 22.214.171.1243. Kaspersky removed the flaw in driver version 126.96.36.1993 starting on 12 October; it can be downloaded using the update service.
- Kaspersky Labs Anti-Virus IOCTL Local Privilege Escalation Vulnerability, advisory from iDefense