Event Details

Kaspersky Secure Connection - DLL Preloading and Potential Abuses (CVE-2019-15689)


Kaspersky Secure Connection - DLL Preloading and Potential Abuses (CVE-2019-15689)

December 2nd, 2019

Peleg Hadar

Security Researcher, SafeBreach Labs

Introduction

SafeBreach Labs discovered a vulnerability in Kaspersky Secure Connection, which is deployed with Kaspersky Internet Security (KIS).

In this post, we describe the CVE-2019-15689 vulnerability we found in Kaspersky Secure Connection.

We then demonstrate how this vulnerability could have been exploited by an attacker during a post-exploitation phase in order to achieve signed code execution, persistence and in some cases defense evasion. This vulnerability may have allowed attackers to implant an arbitrary unsigned executable, executed by a signed service that runs as NT AUTHORITY\SYSTEM.

Note: In order to exploit this vulnerability the attacker needs to have Administrator privileges.

Kaspersky Secure Connection

Kaspersky Secure Connection is a VPN client which provides the user a secure tunnel over the Kaspersky VPN servers.

Kaspersky Secure Connection is deployed with the following applications[1]:

  • Kaspersky Security Cloud
  • Kaspersky Internet Security
  • Kaspersky Anti-Virus
  • Kaspersky Total Security
  • Kaspersky Free

Part of the software runs as a service using NT AUTHORITY\SYSTEM permissions.

Vulnerability

Discovery

In our exploration, we targeted the “Kaspersky Secure Connection 3.0.0” service (“KSDE”.)

It seemed interesting because:

  1. The executable of the service is signed by “AO Kaspersky Lab” and if the attacker finds a way to execute code within this process, it can be used as an application whitelisting bypass which can lead to security product evasion.
  2. This service automatically starts once the computer boots, which means that it’s a potential target for an attacker to be used as a persistence mechanism.
  3. It runs as NT AUTHORITY\SYSTEM - the most privileged user account.

When the service is started, ksde.exe tries to load multiple missing DLL files:

unnamed_(17).png

PoC Demonstration

Note: We chose the “ckahum.dll” library (which it tries to load from a path which doesn’t exist) for our PoC, but it might work on other files as well.

In order to test this vulnerability, we compiled an x86 unsigned arbitrary DLL which writes the following to the filename of a txt file:

  1. The name of the process which loaded it
  2. The username which executed it
  3. The name of the DLL file

unnamed_(16).png

Using the CVE-2019-15689 vulnerability, we were able to load an arbitrary DLL file which was signed by AO Kaspersky Lab and run as NT AUTHORITY\SYSTEM. Our code was executed within ksde.exe,

Root Cause Analysis

Once the “Kaspersky Secure Connection 3.0.0” service (ksde.exe) is loaded, it loads the ushata.dll library.

Next, The ushata.dll calls a function dynamically (the address of the function is stored in the ebx register in runtime):

unnamed_(12)-0001.png

In order to understand which function is involved, we debugged the application using WinDbg:

unnamed_(13).png

unnamed_(14).png

unnamed_(15).png

As you can observe in the screenshot, ushata.dll calls LoadLibraryExW with the following parameters:

  1. The DLL Path to be loaded
  2. dwFlags == 0 (No flags)

This is actually identical to calling LoadLibraryW, as mentioned in MSDN:
If no flags are specified, the behavior of this function is identical to that of the LoadLibrary function.

There are two root causes for this vulnerability:

  1. No signature validation (or for that matter, any validation) was made against the DLL file which the service tried to load (i.e. calling the WinVerifyTrust function).
  2. Uncontrolled Search Path - The lack of safe DLL loading
    The library tried to load the mentioned DLL files using LoadLibraryExW without flags (which is identical to LoadLibraryW). The problem is that it only used the filename of the DLL, instead of an absolute path.

Potential Malicious Uses and Impact

Below we show two possible ways that an attacker could have leveraged these vulnerabilities which we discovered and documented above.

Whitelisting Bypass, Defense Evasion

The vulnerability give attackers the ability to load and execute malicious payloads within the context of AO Kaspersky Lab signed process. This ability might be abused by an attacker for different purposes such as execution and defense evasion, for example: Application Whitelisting Bypass.

Persistence Mechanism

The vulnerability gives an attacker the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL, the service will load the malicious code each time it is restarted.

Affected Products and Versions

Kaspersky Secure Connection - All versions below 4.0 (2020)

Timeline

July 18th, 2019 - Vulnerability reported to Kaspersky

Aug 7th, 2019 - Kaspersky confirmed the vulnerability

Aug 11th, 2019 - Kaspersky provided us a schedule of an advisory release (will be fixed around December).

Sep 18th , 2019 - Status Update from Kaspersky

Nov 11th, 2019 - Status Update from Kaspersky

Nov 19th, 2019 - Status Update from Kaspersky.

Nov 21st, 2019 - Kaspersky issued CVE-2019-15689

References

[1] https://support.kaspersky.com/13494