lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <601976772.20030320082908@LSS.hr>
Date: Thu, 20 Mar 2003 08:29:08 +1200
From: Bojan Zdrnja <Bojan.Zdrnja@....hr>
To: bugtraq@...urityfocus.com
Subject: Easy DoS on Kaspersky Anti-Hacker v1.0



Product: Kaspersky Anti-Hacker
Version: 1.0
Website: http://www.kaspersky.com/buyonline.html?info=967571

1. Introduction
---------------

Kaspersky Anti-Hacker is a Kaspersky Lab personal firewall product. As other
products in this category, Kaspersky Anti-Hacker allows creation of packet
and application filtering rules.

Among the other things, Kaspersky Anti-Hacker has included a very simple version
of Intrusion Detection System. This IDS module is automatically activated upon
installation of product. IDS is capable of detecting only 7 attacks, including
port scanning and SYN/UDP flooding. Together with the IDS, firewall has also a
possibility of active blocking of detected attacks. This option (which is turned
on by default) makes DoS attacks on remote users running Kaspersky Anti-Hacker
very easy.


2. Exploit
----------

If active blocking is turned on, upon detection of known attack, Kaspersky
Anti-Hacker will block *ALL* traffic to source IP address detected in attack.
By sending spoofed packets a remote machine running Kaspersky Anti-Hacker
attacker can easily deny legitimate traffic to any IP address.

Example with hping2:

# hping -S -i u1 -s +1025 -p +21 <victims_IP_address> -w 3072 -a \
<spoofed_IP_address>

Kaspersky Anti-Hacker will report this attack as SYN flood and will
automatically block all traffic to spoofed_IP_address.

Same thing can be accomplished with nmap's decoy option:

# nmap -sS -P0 -D<spoofed_IP_address> <victims_IP_address>

This time Kaspersky Anti-Hacker will detect port scanning attack and
automatically block all traffic to spoofed_IP_address.


3. Solution
-----------

Disable Assaulter blocking time option. Kaspersky Anti-Hacker will still report
possible attacks and user can stop them manually.


4. Vendor
---------

Vendor notified, no response received.


Best regards,

Bojan Zdrnja

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ