 Topic: |
Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service |
| Author: |
Maksymilian Arciemowicz |
| Date: |
2009.08.19 |
| Risk: |
Medium |
| Local: |
Yes |
| Remote: |
Yes |
Kaspersky Lab fixes vulnerability in the company’s antivirus products
Kaspersky Lab, a leading developer of secure content management systems, has closed a vulnerability that arose when
parsing specially formed URL addresses. Information about the vulnerability, which results in a system hang, was
published on http://cxsecurity.com on 19 August.
The DoS (Denial of Service) vulnerability reported by an independent analyst was caused by a faulty signature. Kaspersky
Internet Security 2010 and Kaspersky Anti-Virus 2010 were affected by the problem. When parsing URL addresses formed in
a certain way, including URLs in email messages, CPU usage could reach 100% and block all web traffic.
There have been no reported instances of system failure caused by this signature since it was included in antivirus
databases. Had this vulnerability been exploited by cybercriminals, nothing more serious than the computer hang would
have happened.
The faulty signature was modified in the next database update on the same day, which means the vulnerability has been
completely removed. The company is constantly perfecting its procedures for product testing and releasing updates in
order to prevent such errors from occurring in future.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service ]
Author: Maksymilian Arciemowicz
http://CXSecurity.com
Date:
- - Dis.: 10.07.2009
- - Pub.: 19.08.2009
Risk: Medium
Affected Software (tested):
- - Kaspersky Internet Security 2010 9.0.0.459 (a) EN
- - Kaspersky Anti-Virus 2010 9.0.0.463 DE
Original URL:
http://cxsecurity.com/research/66
- --- 0.Description ---
Kaspersky Lab is a computer security company, co-founded by Natalia Kasperskaya and Eugene Kaspersky in 1997, offering
anti-virus, anti-spyware, anti-spam, and anti-intrusion products. Kaspersky Lab is a privately held company
headquartered in Moscow, Russia with regional offices in Germany, France, the Netherlands, the UK, Poland, Romania,
Sweden, Japan, China, Korea and the USA.
- --- 1. Kaspersky AV/IS 2010 avp.exe Denial of Service ---
The main problem exists in parsing url addresses. If we give a lot of dots, kaspersky avp.exe proccess, will get 100% of
CPU and will block trafic via browsers.
Relativistic time to return to normal behavior is very long. In practice, when we give a large number of dots, kaspesky
will not return to normal behavior.
This example will denial access to the browser and other kaspersky operations
http://lu.cxib.net/.................[ .xY where 1024<Y]
It can be exploited remotely by html code. (like: send email)
<img src="http://lu.cxib.net/..........................[ more dots ]">
The user who executed the code above, will be deprived of the possibility of browsing and successive reset the
kaspersky.
Tested on:
- - Kaspersky Internet Security 2010 9.0.0.459 (a) (EN) + Windows Vista Enterprise (EN)
- - Kaspersky Anti-Virus 2010 9.0.0.463 (DE) + Windows XP Home Edition (DE)
0day (18.08.2009) exploit you can find:
http://cxsecurity.com/downloads/kaspersky.2010.dos.html
This script, will generate <img> tags with different url lenght to block kaspersky services.
However we can exploit this issue via html email. The method of attack is simple. The victim need only refer to a faulty
address.
- --- 2. Greets ---
Infospec Chujwamwdupe p_e_a pi3
- --- 3. Contact ---
Author: CXSecurity.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] cxsecurity [d0t} com
GPG: http://cxsecurity.com/key/Arciemowicz.Maksymilian.gpg
http://cxsecurity.com/
http://cxsecurity.pl/
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkqKxicACgkQpiCeOKaYa9aZ1QCcDNMKAgC28dZQUe8WM61z4Yyx
T0sAoNUqi8WF4EtlGjbo0MAOK5FNMY7N
=09nf
-----END PGP SIGNATURE-----
|
