Kaspersky driver bug allows privilege escalation

A flaw in a kernel driver used by Kaspersky Anti-Virus 6.0 and 7.0, Kaspersky Internet Security 6.0 and 7.0, and Kaspersky Anti-Virus 6.0 for Windows Workstations can be exploited by uers with restricted rights to get admin rights to a system, or by malware to execute with system privileges.

Advertisement

The cause is a buffer overflow in the kl1.sys kernel driver when handling a call to IOCTL 0x800520e8 where the length of a user-supplied parameter exceeds 2,000 characters. According to iDefense, code can then be injected onto the stack and launched with the kernel's rights. Kaspersky has released updates to fix the flaw. Most users will probably already have it installed via the software's automatic update function.

See also:

• Low-risk vulnerability in kl1.sys driver is closed, Kaspersky security advisory
• Kaspersky Internet Security IOCTL Stack Based Buffer Overflow Vulnerability, iDefense security advisory

(mba)