CVE-2020-28950: Kaspersky Anti-Ransomware Tool (KART) DLL Hijack
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.
1.1 Vulnerability Summary
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack. This could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper loading of Dynamic Link Libraries in the installer. By using a specially crafted .DLL file, an authenticated attacker could exploit this vulnerability to gain elevated privileges.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base score of this vulnerability is 7.8 High. CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1.3 Affected Version
Kaspersky Anti-Ransomware Tool prior to KART 4.0 Patch C.
1.4 Vulnerability Attribution
This vulnerability is reported by Shahee Mirza of BEETLES.
1.5 Risk Impact
Kaspersky Anti-Ransomware Tool detects malicious applications or legitimate software that can be used to damage your data (adware and others) and automatically blocks suspicious activity. The application stores data areas modified by suspicious processes in the hidden and protected storage. If a suspicious process creates or modifies files or the system registry, Kaspersky Anti-Ransomware Tool detects such changes, blocks the process, and then attempts to roll back the actions of the detected object by restoring the data areas from the protected storage.
Kaspersky Anti-Ransomware Tool is equipped with a self-protection mechanism to prevent modification or deletion of its files from the hard drive, memory processes and system registry entries. Exploiting this vulnerability can provide an attacker to escalate his privilege to perform malicious administrative activities like shutting down KART itself to perform ransomware attack on the organization. A public domain exploit is not available.
1.6 Virsec Security Platform (VSP) Support:
The Virsec Security Platform (VSP)-Host monitors any new DLL which are not part of a set of whitelisted DLLs. Any attempt to inject or hijack using these DLLs would be denied by VSP-Host’s Process Monitoring capability.
1.7 Reference Links:
Download the full vulnerability report to learn more about this and other important vulnerabilities.