Kaspersky Secure Connection - DLL Preloading and Potential Abuses (CVE-2019-15689)
December 2nd, 2019
Security Researcher, SafeBreach Labs
SafeBreach Labs discovered a vulnerability in Kaspersky Secure Connection, which is deployed with Kaspersky Internet Security (KIS).
In this post, we describe the CVE-2019-15689 vulnerability we found in Kaspersky Secure Connection.
We then demonstrate how this vulnerability could have been exploited by an attacker during a post-exploitation phase in order to achieve signed code execution, persistence and in some cases defense evasion. This vulnerability may have allowed attackers to implant an arbitrary unsigned executable, executed by a signed service that runs as NT AUTHORITY\SYSTEM.
Note: In order to exploit this vulnerability the attacker needs to have Administrator privileges.
Kaspersky Secure Connection is a VPN client which provides the user a secure tunnel over the Kaspersky VPN servers.
Kaspersky Secure Connection is deployed with the following applications:
Part of the software runs as a service using NT AUTHORITY\SYSTEM permissions.
In our exploration, we targeted the “Kaspersky Secure Connection 3.0.0” service (“KSDE”.)
It seemed interesting because:
When the service is started, ksde.exe tries to load multiple missing DLL files:
Note: We chose the “ckahum.dll” library (which it tries to load from a path which doesn’t exist) for our PoC, but it might work on other files as well.
In order to test this vulnerability, we compiled an x86 unsigned arbitrary DLL which writes the following to the filename of a txt file:
Using the CVE-2019-15689 vulnerability, we were able to load an arbitrary DLL file which was signed by AO Kaspersky Lab and run as NT AUTHORITY\SYSTEM. Our code was executed within ksde.exe,
Once the “Kaspersky Secure Connection 3.0.0” service (ksde.exe) is loaded, it loads the ushata.dll library.
Next, The ushata.dll calls a function dynamically (the address of the function is stored in the ebx register in runtime):
In order to understand which function is involved, we debugged the application using WinDbg:
As you can observe in the screenshot, ushata.dll calls LoadLibraryExW with the following parameters:
This is actually identical to calling LoadLibraryW, as mentioned in MSDN:
If no flags are specified, the behavior of this function is identical to that of the LoadLibrary function.
There are two root causes for this vulnerability:
Below we show two possible ways that an attacker could have leveraged these vulnerabilities which we discovered and documented above.
The vulnerability give attackers the ability to load and execute malicious payloads within the context of AO Kaspersky Lab signed process. This ability might be abused by an attacker for different purposes such as execution and defense evasion, for example: Application Whitelisting Bypass.
The vulnerability gives an attacker the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL, the service will load the malicious code each time it is restarted.
Kaspersky Secure Connection - All versions below 4.0 (2020)
July 18th, 2019 - Vulnerability reported to Kaspersky
Aug 7th, 2019 - Kaspersky confirmed the vulnerability
Aug 11th, 2019 - Kaspersky provided us a schedule of an advisory release (will be fixed around December).
Sep 18th , 2019 - Status Update from Kaspersky
Nov 11th, 2019 - Status Update from Kaspersky
Nov 19th, 2019 - Status Update from Kaspersky.
Nov 21st, 2019 - Kaspersky issued CVE-2019-15689