Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service

Published
Credit
Risk
2009.08.20
Maksymilian Arciemowicz
Medium
CWE
CVE
Local
Remote
CWE-399
CVE-2009-2966
Yes
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

[ Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service ]

Author: Maksymilian Arciemowicz
Date:
- - Dis.: 10.07.2009
- - Pub.: 19.08.2009

Risk: Medium

Affected Software (tested):
- - Kaspersky Internet Security 2010 9.0.0.459 (a) EN
- - Kaspersky Anti-Virus 2010 9.0.0.463 DE

- --- 0.Description ---
Kaspersky Lab is a computer security company, co-founded by Natalia Kasperskaya and Eugene Kaspersky in 1997, offering anti-virus, anti-spyware, anti-spam, and anti-intrusion products. Kaspersky Lab is a privately held company headquartered in Moscow, Russia with regional offices in Germany, France, the Netherlands, the UK, Poland, Romania, Sweden, Japan, China, Korea and the USA.

- --- 1. Kaspersky AV/IS 2010 avp.exe Denial of Service ---
The main problem exists in parsing url addresses. If we give a lot of dots, kaspersky avp.exe proccess, will get 100% of CPU and will block trafic via browsers.
Relativistic time to return to normal behavior is very long. In practice, when we give a large number of dots, kaspesky will not return to normal behavior.

This example will denial access to the browser and other kaspersky operations

http://lu.cxib.net/.................[ .xY where 1024<Y]

It can be exploited remotely by html code. (like: send email)

<img src="http://lu.cxib.net/..........................[ more dots ]">

The user who executed the code above, will be deprived of the possibility of browsing and successive reset the kaspersky.

Tested on:
- - Kaspersky Internet Security 2010 9.0.0.459 (a) (EN) + Windows Vista Enterprise (EN)
- - Kaspersky Anti-Virus 2010 9.0.0.463 (DE) + Windows XP Home Edition (DE)

0day (18.08.2009) exploit you can find:

http://securityreason.com/downloads/kaspersky.2010.dos.html

This script, will generate <img> tags with different url lenght to block kaspersky services.

However we can exploit this issue via html email. The method of attack is simple. The victim need only refer to a faulty address.

- --- 2. Contact ---
Author: Maksymilian Arciemowicz

References:

http://www.osvdb.org/57173
http://www.h-online.com/security/Kaspersky-confirm-and-close-DoS-vulnerability--/news/114077


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2016, cxsecurity.com