Bug: Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service (WLB-2009080044 Ascii Version)

English Version
WLB2

CVE WLB2

WLB2
Full List
Bugs
Bogus
Tricks
Exploits
CVE MAP
Full List
Vendors
Products
Tools
CWE Dictionary
Google Hacking
Search
General
CVE
CWE
RSS
Full List
Bugs
Exploits
Dorks
Information
Our services
Add note
About
Submit

To add a note,

use this form

or send email to

submit@cxsecurity.com

When contacting via email, we recommend coded messages.

Get our PGP public key

 Topic: Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service
 Credit: Maksymilian Arciemowicz
 Date: 2009.08.20
 CWE: CWE-399 (Show similar)
 CVE: CVE-2009-2966 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

Risk
Local
Remote
Medium
Yes
Yes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service ]

Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 10.07.2009
- - Pub.: 19.08.2009

Risk: Medium

Affected Software (tested):
- - Kaspersky Internet Security 2010 9.0.0.459 (a) EN
- - Kaspersky Anti-Virus 2010 9.0.0.463 DE

Original URL:
http://securityreason.com/achievement_securityalert/66


- --- 0.Description ---
Kaspersky Lab is a computer security company, co-founded by Natalia Kasperskaya and Eugene Kaspersky in 1997, offering
anti-virus, anti-spyware, anti-spam, and anti-intrusion products. Kaspersky Lab is a privately held company
headquartered in Moscow, Russia with regional offices in Germany, France, the Netherlands, the UK, Poland, Romania,
Sweden, Japan, China, Korea and the USA.

- --- 1. Kaspersky AV/IS 2010 avp.exe Denial of Service ---
The main problem exists in parsing url addresses. If we give a lot of dots, kaspersky avp.exe proccess, will get 100% of
CPU and will block trafic via browsers.
Relativistic time to return to normal behavior is very long. In practice, when we give a large number of dots, kaspesky
will not return to normal behavior.

This example will denial access to the browser and other kaspersky operations

http://lu.cxib.net/.................[ .xY where 1024<Y]

It can be exploited remotely by html code. (like: send email)

<img src="http://lu.cxib.net/..........................[ more dots ]">

The user who executed the code above, will be deprived of the possibility of browsing and successive reset the
kaspersky.

Tested on:
- - Kaspersky Internet Security 2010 9.0.0.459 (a) (EN) + Windows Vista Enterprise (EN)
- - Kaspersky Anti-Virus 2010 9.0.0.463 (DE) + Windows XP Home Edition (DE)

0day (18.08.2009) exploit you can find:

http://securityreason.com/downloads/kaspersky.2010.dos.html

This script, will generate <img> tags with different url lenght to block kaspersky services.

However we can exploit this issue via html email. The method of attack is simple. The victim need only refer to a faulty
address.

- --- 2. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3

- --- 3. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securityreason [d0t} com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com/
http://securityreason.pl/
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkqKxicACgkQpiCeOKaYa9aZ1QCcDNMKAgC28dZQUe8WM61z4Yyx
T0sAoNUqi8WF4EtlGjbo0MAOK5FNMY7N
=09nf
-----END PGP SIGNATURE-----

References:

http://securityreason.com/achievement_securityalert/66
http://securityreason.com/downloads/kaspersky.2010.dos.html

[ ASCII VERSION ]
Copyright 2012, cxsecurity.com