Safereach, a security research company, found a security problem in Kaspersky Security connectivity software, which itself was bundled into a series of other Kaspersky Security products,Allows malicious attackers to obtain signature code execution in more complex attacks, or even circumvent defense.
The vulnerability is described in detail in the Security Bulletin No. cve-2019-15689, which enables hackers to run unsigned executables as a signed version of NT permission / system startup, which technically opens the door for further malicious activities on the attacked device.
Safebreak explained that Kaspersky's security connection is bundled into Kaspersky antivirus software, Kaspersky Internet security software, Kaspersky total security software and other software. The service used has system permission and the executable file is signed by "Ao kaspersly lab". If an attacker finds a way to execute code in this process, it can be used as an application whitelist to bypass the security product.
And because the service is running at boot time, this means that potential attackers can even get persistence at every system startup to run malicious payloads. Through in-depth analysis, it is found that Kaspersky's service attempts to load a series of DLLs, some of which are lost, and because the security software does not use signature verification, it is easy to disguise the unsigned executable file as a signed executable file. In addition, the Kaspersky service does not load using secure DLLs, which means it uses only the filename of the DLL, not the absolute path. This error was reported to Kaspersky in July 2019, and safebreak issued cve-2019-15689 safety notice on November 21.