LOLBINed — Using Kaspersky Endpoint Security “KES” Installer to Execute Arbitrary Commands
At the start of the year, I was doing some research into AV uninstaller tools, understanding how they work, and trying to find misconfigurations and other ways they can be abused I’ve compiled my findings in the repository that I’ll make public soon.
One AV uninstaller, in particular, we’ll be focusing on today is Kaspersky's kavremover. We’ll talk about how this uninstaller led to another issue in the Kaspersky Endpoint Security (KES) installer.
Here is a quick description of the tool from the Kaspersky doc
Kavremover is a free tool for removing Kaspersky applications that cannot be removed completely using standard Windows tools
With that, let’s simply run the tool and go from there.
We are greeted immediately by a simple screen containing a captcha-like code and a list containing the supported products that we can remove.
Once we click “Remove” the removal process starts with no additional prompts until it finishes. (Note that this tool requires administrator privileges to be executed)
Now, let’s take a look at this from “Process Monitor” to see what the process is actually doing behind the scene.
The tool extracts itself into the %temp% directory and drops a bunch of other stuff in there but the most interesting part of this (in the context of this blog) is the “actA7A1.tmp”. If we take a look at the command line:
The “run-cmd” keyword got me intrigued, especially since it’s running an instance of “regsvr32”
"C:\Users\lab\AppData\Local\Temp\actA7A1.tmp" run run-cmd "regsvr32.exe /u /s \"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\mcou.dll\""
This command line seemed like it would allow arbitrary binaries to execute just like a LOLBIN, so I decided to take a look at this dropped file.
To get it I simply re-run the “kavremover” process and used a SYSTEM command prompt to copy it while it was running.
Note that we can extract this binary by extracting it from the resource section of the original “kavremover” using a tool like “Resource Hacker”.
Now with the executable in hand, let’s follow the same structure and replace the “regsvr32” call with a random command:
RT_RCDATA503.exe run run-cmd "cmd /c whoami > whoami.txt"
We are able to execute arbitrary commands as our theory suggested. To top it off the binary in question is also a signed binary. (Note that the commands executed have the same user privileges as the abused executable)
Now this is an interesting LOLBIN and if the story ended here I would’ve been happy but it didn’t, so let us continue.
Kaspersky Endpoint Security (KES) Installer
While doing this research and in order to test these different uninstallers, I was also installing the AV product in question and while playing with KES installer I got the following prompt from KES
I launched “Process Monitor” and continued with the uninstallation process. Seeing the results from procmon we get a very familiar process.
The “act3CB2.tmp” has the same arguments as the previous binary we looked at with “kavremover” which leads us to the theory that the KES installer is using the same method to remove other AVs. Now the thing that got me super interested in this, is how was KES able to detect that I had AVG 2015 installed.
By looking at the process tree we can see that the “act3CB2.tmp” has a parent process called “cleanapi.exe” which sounds very interesting, so I started looking for this “cleanapi.exe” inside the KES installer
By double-clicking on the installer it first “decompresses” itself into a specified location. If we look at the directory structure of the uncompressed data we see two interesting files that are maybe related to the “cleaning” functionality.
The contents of “incompatible.txt” are a long list of security products (AV, EDR, VPN, Firewalls…) that from the name of the file we guess that KES may be incompatible with (ie can cause issues if both software are installed).
To view the content of the “cleaner.cab” file we first need to unzip it using a tool like 7zip.
At first glance, we can see that the names of the “.ini” files correspond with a one-to-one mapping with the names inside the “incompatible.txt” file. We’ll go back to the “.ini” files in a moment.
Scrolling down a little we find the binary we’re looking for, “cleanapi.exe”.
Hey, I Don’t Like Your AV…Can I Remove It
Back to the original question, how was KES able to determine that I had AVG 2015 installed? Well, looking inside the cleaner folder I’ve found the following “.ini” files
With the following content inside
Three things pop up right out of the gate:
Sparing you the boring details because this is getting long already. Basically, the check for “AVG” is done by checking the registry for the key specified in the “detect-registry” variable. If it’s found then the value pointed at by the “env-registry” is run.
To test this out I did the following steps:
- Remove AVG from the system
- Create registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Avg\Avg2015”
- Create registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG\UninstallString” and point it at “notepad.exe”
- Run KES installer and see if notepad is spawned
Lo and behold, it did actually run the command as expected.
We now are able to execute arbitrary commands and processes from the context of the signed Kaspersky process as long as we simulate an AV that is “unsupported” by KES in order to trigger the uninstallation process.
Note that this of course requires admin privileges in order to modify the necessary registry keys (HKLM) and run the KES installer.
On the other hand, this could offer an interesting setup for attackers who might stumble upon organizations that are already running Kaspersky, as this could be used to execute commands coming from a Kaspersky process which could be already whitelisted by the security team or it could be used as some kind of backdoor/persistence where each time the KES installation occures this behaviour will occur.
Do You Have This AV Installed?
One interesting side effect of this research is the discovery of those “.ini” files that I mentioned above. There are 2450 “.ini” files in the “cleaner.cab” file which means we have a method and in some cases “multiple” methods to detect around “2450” different security products (AV, EDR, VPN, Firewalls…).
I created a simple script that parsed all those “.ini” files and compiled the results in a CSV file that will be available in the repository mentioned at the start of this blog.
Here is an example of how it looks.
Back to The “cleanapi.exe” Binary
As we’ve seen the deletion occurs via a binary similar to the one we found in the “kavremover” process. Digging a little within “Process Monitor” and “Resource Hacker” we find that the binary in question is located inside the resource section of the “cleanapi.dll”
By dumping it, we get a similar signed binary (different hash though) as the one found within “kavremover” that we can use as a LOLBIN once again.
Arbitrary DLL Load
One last thing before I wrap this up. If you noticed when we looked at the process tree, the “cleanapi.exe” had a bunch of command-line arguments.
"C:\Users\lab\AppData\Local\Temp\282527F5EDA44439AD3CC23FD270EE91\clr\flt\cleanapi.exe" -r -t 1 -n cleanapi.dll -d C:\Users\lab\AppData\Local\Temp\282527F5EDA44439AD3CC23FD270EE91\clr\flt\
One interesting argument out of the bunch is the “-n” where we’re passing it a DLL and specifically the “cleanapi.dll”. If we reduce the previous commands to just use the “-n” flag and a random DLL
cleanapi.exe -n malware.dll
We can clearly see via “Process Monitor” that the process in question is looking for our random DLL
We can quickly create a “calc” POC to test if it’s loading arbitrary DLLs. And indeed once the POC is run we get a calc popping up. (Of course, the “cleanapi.exe” binary is signed.)
Even though the issues described here require admin privileges to some extent and could be considered by some as “features”, it's still worth exploring.
- We can use the signed binaries extracted from “kavremover.exe” or “cleanapi.dll” to execute arbitrary commands.
ExtractedBinary.exe run run-cmd [Command]
- We can execute arbitrary commands from the context of the KES installer using the registry (or any installation method described in the INI files in theory) as described above.
- You can “remove”/“detect” more than “2400” security products using Kaspersky Endpoint Security “KES” installer.
- We can call arbitrary DLLs using the “cleanapi.exe” binary using the following command.
cleanapi.exe -n [MaliciousDLL]
Kaspersky has published a security advisory on these findings that you can find below.
List of Advisories
List of disclosed vulnerabilities in Kaspersky products and researchers that reported them to us.
Thanks for reading and I hope you found the post useful. If you want to chat about anything related to infosec I’m on Twitter @nas_bench