Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Kaspersky Anti-Hacker Vendors:   Kaspersky Lab
Kaspersky Anti-Hacker Personal Firewall Can Be Made to Block Connections
SecurityTracker Alert ID:  1006327
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 20 2003
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.0
Description:   A denial of service vulnerability was reported in the Kaspersky Anti-Hacker personal firewall software. A remote user can cause the firewall to block connections.

The firewall's intrusion detection active blocking feature, which is enabled by default, can be exploited by a remote user to deny service to the target system. A remote user can send spoofed attack packets to the target system to cause the firewall software to invoke the blocking protections and block all traffic between the spoofed address and the target system.

A demonstration exploit using the hping2 utility is provided:

# hping -S -i u1 -s +1025 -p +21 <victims_IP_address> -w 3072 -a \

This exploit will be detected by the firewall as a TCP SYN flood attack, causing the firewall to block all traffic to and from the spoofed address.

The vendor has reportedly been notified without response.

Impact:   A remote user can cause the firewall to block communications with specified hosts.
Solution:   No vendor solution was available at the time of this entry.

The report indicates that you can disable the Assaulter blocking time option.

Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Easy DoS on Kaspersky Anti-Hacker v1.0

Product: Kaspersky Anti-Hacker
Version: 1.0

1. Introduction

Kaspersky Anti-Hacker is a Kaspersky Lab personal firewall product. As other
products in this category, Kaspersky Anti-Hacker allows creation of packet
and application filtering rules.

Among the other things, Kaspersky Anti-Hacker has included a very simple version
of Intrusion Detection System. This IDS module is automatically activated upon
installation of product. IDS is capable of detecting only 7 attacks, including
port scanning and SYN/UDP flooding. Together with the IDS, firewall has also a
possibility of active blocking of detected attacks. This option (which is turned
on by default) makes DoS attacks on remote users running Kaspersky Anti-Hacker
very easy.

2. Exploit

If active blocking is turned on, upon detection of known attack, Kaspersky
Anti-Hacker will block *ALL* traffic to source IP address detected in attack.
By sending spoofed packets a remote machine running Kaspersky Anti-Hacker
attacker can easily deny legitimate traffic to any IP address.

Example with hping2:

# hping -S -i u1 -s +1025 -p +21 <victims_IP_address> -w 3072 -a \

Kaspersky Anti-Hacker will report this attack as SYN flood and will
automatically block all traffic to spoofed_IP_address.

Same thing can be accomplished with nmap's decoy option:

# nmap -sS -P0 -D<spoofed_IP_address> <victims_IP_address>

This time Kaspersky Anti-Hacker will detect port scanning attack and
automatically block all traffic to spoofed_IP_address.

3. Solution

Disable Assaulter blocking time option. Kaspersky Anti-Hacker will still report
possible attacks and user can stop them manually.

4. Vendor

Vendor notified, no response received.

Best regards,

Bojan Zdrnja


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC