kaspersky-dos.txt
Posted on 23 August 2009
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service ] Author: Maksymilian Arciemowicz http://SecurityReason.com Date: - - Dis.: 10.07.2009 - - Pub.: 19.08.2009 Risk: Medium Affected Software (tested): - - Kaspersky Internet Security 2010 9.0.0.459 (a) EN - - Kaspersky Anti-Virus 2010 9.0.0.463 DE Original URL: http://securityreason.com/achievement_securityalert/66 - --- 0.Description --- Kaspersky Lab is a computer security company, co-founded by Natalia Kasperskaya and Eugene Kaspersky in 1997, offering anti-virus, anti-spyware, anti-spam, and anti-intrusion products. Kaspersky Lab is a privately held company headquartered in Moscow, Russia with regional offices in Germany, France, the Netherlands, the UK, Poland, Romania, Sweden, Japan, China, Korea and the USA. - --- 1. Kaspersky AV/IS 2010 avp.exe Denial of Service --- The main problem exists in parsing url addresses. If we give a lot of dots, kaspersky avp.exe proccess, will get 100% of CPU and will block trafic via browsers. Relativistic time to return to normal behavior is very long. In practice, when we give a large number of dots, kaspesky will not return to normal behavior. This example will denial access to the browser and other kaspersky operations http://lu.cxib.net/.................[<http://lu.cxib.net/.................%5B>.xY where 1024<Y] It can be exploited remotely by html code. (like: send email) <img src="http://lu.cxib.net/..........................[<http://lu.cxib.net/..........................%5B>more dots ]"> The user who executed the code above, will be deprived of the possibility of browsing and successive reset the kaspersky. Tested on: - - Kaspersky Internet Security 2010 9.0.0.459 (a) (EN) + Windows Vista Enterprise (EN) - - Kaspersky Anti-Virus 2010 9.0.0.463 (DE) + Windows XP Home Edition (DE) 0day (18.08.2009) exploit you can find: http://securityreason.com/downloads/kaspersky.2010.dos.html This script, will generate <img> tags with different url lenght to block kaspersky services. However we can exploit this issue via html email. The method of attack is simple. The victim need only refer to a faulty address. - --- 2. Greets --- sp3x Infospec Chujwamwdupe p_e_a pi3 - --- 3. Contact --- Author: SecurityReason.com [ Maksymilian Arciemowicz ] Email: cxib {a.t] securityreason [d0t} com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg http://securityreason.com/ http://securityreason.pl/ - -- Best Regards, - ------------------------ pub 1024D/A6986BD6 2008-08-22 uid Maksymilian Arciemowicz (cxib) <cxib@securityreason.com> sub 4096g/0889FA9A 2008-08-22 http://securityreason.com http://securityreason.com/key/Arciemowicz.Maksymilian.gpg -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkqLQqIACgkQpiCeOKaYa9aLxgCgy3FzzR5xPzU6QgoK1VpHpjur paQAn3ku0sU5AzHjzjo3N0qq+Kywu7i1 =rQAP -----END PGP SIGNATURE-----
