[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [DSECRG-11-018] Kaspersky administration Kit - Remote code execution via SMBRelay
- To: Alexandr Polyakov <alexandr.polyakov@xxxxxxx>
- Subject: Re: [DSECRG-11-018] Kaspersky administration Kit - Remote code execution via SMBRelay
- From: "Vladimir '3APA3A' Dubrovin" <3APA3A@xxxxxxxxxxxxxxxx>
- Date: Tue, 26 Apr 2011 16:53:33 +0400
Dear Alexandr Polyakov,
AFAIK, SMB NTLM relaying was closed with MS08-068 and Kerberos was never
possible to relay. Are you sure authentication is really possible with
patched windows systems?
--Monday, April 25, 2011, 12:21:57 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx:
AP> Digital Security Research Group [DSecRG] Advisory #DSECRG-11-018
AP> Application: Kaspersky Administration Kit
AP> Versions Affected: from 6.0
AP> Vendor URL: http://www.kaspersky.com
AP> Bug: Design flaw
AP> Exploits: YES
AP> Reported: 22.01.2011
AP> Vendor response: 22.01.2011
AP> Solution: disable IP scan
AP> Date of Public Advisory: 14.03.2011
AP> Authors: Alexey Sintsov of Digital Security Research Group
[DSecRG]
AP> Description
AP> ***********
AP> Service account used for Kaspersky Administration Kit and it
AP> functional make possible attack on other hosts
AP> in a corporate network.
AP> Details
AP> *******
AP> Functional called "Scan IP subnets" is enabled by default in Kaspersky
Administration Kit 6.
AP> This function makes ICMP scan and also tries to use SMB
AP> protocol by using service account which can be
AP> used to run SMBrelay attack and gain full control on secured
AP> network. By default "Scan IP subnets"
AP> scans subnet every 7 hours. Attacker just needs to run
AP> SMBRelay tool and wait. Attack is possible
AP> because Kaspersky service account have Administrative rights on hosts in
corporate network.
AP> It's mean that attacker can attack any server or workstation
AP> where this service account has rights.
AP> Fix Information
AP> ***************
AP> 1) Do not start Administration Server service under a Domain Administrator
account
AP> or a domain account member of local administrators group on other hosts.
AP> 2) Disable "Scan IP subnets"
AP> http://support.kaspersky.com/faq/?qid=208284121
AP> References
AP> *********
AP> http://dsecrg.ru/pages/vul/show.php?id=318
AP> http://dsecrg.blogspot.com/2011/03/smbrelay-bible-4-smbrelay-with-no.html
AP> About DSecRG
AP> *******
AP> The main mission of DSecRG is to conduct researches of business
AP> critical systems such as ERP, CRM, SRM, BI, SCADA, banking software
AP> and others. The result of this work is then integrates in ERPSCAN
AP> security scanner. Being on the top edge of ERP and SAP security
AP> DSecRG research helps to improve a quality of ERPSCAN consulting
AP> services and protects you from the latest threads.
AP> Contact: research [at] dsecrg [dot] com
AP> http://www.dsecrg.com
AP> About ERPScan
AP> *******
AP> ERPScan is an innovative company engaged in the research of ERP
AP> security and develops products for ERP system security assessment.
AP> Apart from this the company renders consulting services for secure
AP> configuration, development and implementation of ERP systems, and
AP> conducts comprehensive assessments and penetration testing of custom
AP> solutions.
AP> Our flagship products are "ERPScan Security Scanner for SAP"
AP> and service "ERPScan Online" which can help customers to perform
AP> automated security assessments and compliance checks for SAP
AP> solutions.
AP> “ERPScan Security Scanner for SAP” is an innovative product for
AP> integrated assessment of SAP platform security and standard
AP> compliance.
AP> Contact: info [at] erpscan [dot] com
AP> http://www.erpscan.com
AP> Polyakov Alexandr. PCI QSA,PA-QSA
AP> CTO Digital Security
AP> Head of DSecRG
AP> ______________________
AP> DIGITAL SECURITY
AP> phone: +7 812 703 1547
AP> +7 812 430 9130
AP> e-mail: a.polyakov@xxxxxxx
AP> www.dsec.ru
AP> www.dsecrg.com www.dsecrg.ru
AP> www.erpscan.com www.erpscan.ru
AP> www.pcidssru.com www.pcidss.ru
AP> -----------------------------------
AP> This message and any attachment are confidential and may be
AP> privileged or otherwise protected
AP> from disclosure. If you are not the intended recipient any use,
AP> distribution, copying or disclosure
AP> is strictly prohibited. If you have received this message in
AP> error, please notify the sender immediately
AP> either by telephone or by e-mail and delete this message and
AP> any attachment from your system. Correspondence
AP> via e-mail is for information purposes only. Digital Security
AP> neither makes nor accepts legally binding
AP> statements by e-mail unless otherwise agreed.
AP> -----------------------------------
--
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Неприятности начнутся в восемь. (Твен)