[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4A8B42A2.80300@securityreason.com>
Date: Wed, 19 Aug 2009 02:09:06 +0200
From: Maksymilian Arciemowicz <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 10.07.2009
- - Pub.: 19.08.2009
Risk: Medium
Affected Software (tested):
- - Kaspersky Internet Security 2010 9.0.0.459 (a) EN
- - Kaspersky Anti-Virus 2010 9.0.0.463 DE
Original URL:
http://securityreason.com/achievement_securityalert/66
- --- 0.Description ---
Kaspersky Lab is a computer security company, co-founded by Natalia
Kasperskaya and Eugene Kaspersky in 1997, offering anti-virus,
anti-spyware, anti-spam, and anti-intrusion products. Kaspersky Lab is a
privately held company headquartered in Moscow, Russia with regional
offices in Germany, France, the Netherlands, the UK, Poland, Romania,
Sweden, Japan, China, Korea and the USA.
- --- 1. Kaspersky AV/IS 2010 avp.exe Denial of Service ---
The main problem exists in parsing url addresses. If we give a lot of
dots, kaspersky avp.exe proccess, will get 100% of CPU and will block
trafic via browsers.
Relativistic time to return to normal behavior is very long. In
practice, when we give a large number of dots, kaspesky will not return
to normal behavior.
This example will denial access to the browser and other kaspersky
operations
http://lu.cxib.net/.................[ .xY where 1024<Y]
It can be exploited remotely by html code. (like: send email)
<img src="http://lu.cxib.net/..........................[ more dots ]">
The user who executed the code above, will be deprived of the
possibility of browsing and successive reset the kaspersky.
Tested on:
- - Kaspersky Internet Security 2010 9.0.0.459 (a) (EN) + Windows Vista
Enterprise (EN)
- - Kaspersky Anti-Virus 2010 9.0.0.463 (DE) + Windows XP Home Edition (DE)
0day (18.08.2009) exploit you can find:
http://securityreason.com/downloads/kaspersky.2010.dos.html
This script, will generate <img> tags with different url lenght to block
kaspersky services.
However we can exploit this issue via html email. The method of attack
is simple. The victim need only refer to a faulty address.
- --- 2. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3
- --- 3. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securityreason [d0t} com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com/
http://securityreason.pl/
- --
Best Regards,
- ------------------------
pub 1024D/A6986BD6 2008-08-22
uid Maksymilian Arciemowicz (cxib)
<cxib@...urityreason.com>
sub 4096g/0889FA9A 2008-08-22
http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkqLQqIACgkQpiCeOKaYa9aLxgCgy3FzzR5xPzU6QgoK1VpHpjur
paQAn3ku0sU5AzHjzjo3N0qq+Kywu7i1
=rQAP
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists