CVE-2017-9811
published 2017-07-17CVE-2017-9811: The kluser is able to interact with the kav4fs-control binary in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version…
PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.47%
95.2th percentile
The kluser is able to interact with the kav4fs-control binary in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312). By abusing the quarantine read and write operations, it is possible to elevate the privileges to root.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaspersky | anti-virus_for_linux_server | <= 8.0.3.297 | — |
Detection & IOCsextracted from sources · hover to see the quote
command/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --restore $QUARANTINE_ID --file /etc/cron.d/implant↗
- →Monitor for kav4fs-control being invoked with quarantine flags (-Q --add-object, -Q --restore) by the kluser account, especially when the restore target is a privileged path such as /etc/cron.d/ ↗
- →Alert on POST requests to /cgi-bin/cgictl?action=setTaskSettings containing a 'Command' key in the settings parameter, indicating CSRF-driven RCE via notification action configuration ↗
- →Detect path traversal attempts against /cgi-bin/cgictl?action=getReportStatus where the reportId parameter contains URL-encoded dot-dot sequences (%2f..%2f) and a null byte (%00) ↗
- →Watch for new files created under /etc/cron.d/ by non-root processes or by kav4fs-control, which is the privilege escalation persistence mechanism ↗
- →Detect outbound bash reverse shell connections from the Kaspersky AV process or kluser context using /dev/tcp to external hosts on non-standard ports ↗
- →Flag XSS probes against the scriptName parameter of the licenseKeyInfo action on port 9080 ↗
- ·The PoC IP address 172.16.76.1 and port 8000 are attacker-controlled lab values from the proof-of-concept and should not be treated as fixed attacker infrastructure; real-world exploitation will use different callback addresses ↗
- ·The wmc_sid cookie value in the PoC request is a session token from the researcher's test environment and is not a stable IOC; focus on the request structure and endpoint rather than the session value ↗
- ·Only Kaspersky Anti-Virus for Linux File Server 8.0.3.297 was explicitly tested; other versions may also be affected but were not confirmed ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/143190/Kaspersky-Anti-Virus-File-Server-8.0.3.297-XSS-CSRF-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2017/Jun/33http://www.securityfocus.com/bid/99330http://www.securitytracker.com/id/1038798https://www.coresecurity.com/advisories/kaspersky-anti-virus-file-server-multiple-vulnerabilitieshttps://www.exploit-db.com/exploits/42269/http://packetstormsecurity.com/files/143190/Kaspersky-Anti-Virus-File-Server-8.0.3.297-XSS-CSRF-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2017/Jun/33http://www.securityfocus.com/bid/99330http://www.securitytracker.com/id/1038798https://www.coresecurity.com/advisories/kaspersky-anti-virus-file-server-multiple-vulnerabilitieshttps://www.exploit-db.com/exploits/42269/
2017-07-17
Published