lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4A8B42A2.80300@securityreason.com>
Date: Wed, 19 Aug 2009 02:09:06 +0200
From: Maksymilian Arciemowicz <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
[ Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service ]

Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 10.07.2009
- - Pub.: 19.08.2009

Risk: Medium

Affected Software (tested):
- - Kaspersky Internet Security 2010 9.0.0.459 (a) EN
- - Kaspersky Anti-Virus 2010 9.0.0.463 DE

Original URL:
http://securityreason.com/achievement_securityalert/66


- --- 0.Description ---
Kaspersky Lab is a computer security company, co-founded by Natalia
Kasperskaya and Eugene Kaspersky in 1997, offering anti-virus,
anti-spyware, anti-spam, and anti-intrusion products. Kaspersky Lab is a
privately held company headquartered in Moscow, Russia with regional
offices in Germany, France, the Netherlands, the UK, Poland, Romania,
Sweden, Japan, China, Korea and the USA.

- --- 1. Kaspersky AV/IS 2010 avp.exe Denial of Service ---
The main problem exists in parsing url addresses. If we give a lot of
dots, kaspersky avp.exe proccess, will get 100% of CPU and will block
trafic via browsers.    
Relativistic time to return to normal behavior is very long. In
practice, when we give a large number of dots, kaspesky will not return
to normal behavior.

This example will denial access to the browser and other kaspersky
operations

http://lu.cxib.net/.................[ .xY where 1024<Y]

It can be exploited remotely by html code. (like: send email)

<img src="http://lu.cxib.net/..........................[ more dots ]">

The user who executed the code above, will be deprived of the
possibility of browsing and successive reset the kaspersky.

Tested on:
- - Kaspersky Internet Security 2010 9.0.0.459 (a) (EN) + Windows Vista
Enterprise (EN)
- - Kaspersky Anti-Virus 2010 9.0.0.463 (DE) + Windows XP Home Edition (DE)

0day (18.08.2009) exploit you can find:

http://securityreason.com/downloads/kaspersky.2010.dos.html

This script, will generate <img> tags with different url lenght to block
kaspersky services.

However we can exploit this issue via html email. The method of attack
is simple. The victim need only refer to a faulty address.

- --- 2. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3

- --- 3. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securityreason [d0t} com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com/
http://securityreason.pl/

- --
Best Regards,
- ------------------------
pub   1024D/A6986BD6 2008-08-22
uid                  Maksymilian Arciemowicz (cxib)
<cxib@...urityreason.com>
sub   4096g/0889FA9A 2008-08-22

http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----
 
iEYEARECAAYFAkqLQqIACgkQpiCeOKaYa9aLxgCgy3FzzR5xPzU6QgoK1VpHpjur
paQAn3ku0sU5AzHjzjo3N0qq+Kywu7i1
=rQAP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ