SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Kaspersky Internet Security Vendors:   Kaspersky Lab
Kaspersky Internet Security 'klif.sys' Driver Lets Local Users Deny Service
SecurityTracker Alert ID:  1018257
SecurityTracker URL:  http://securitytracker.com/id/1018257
CVE Reference:   CVE-2006-3074   (Links to External Site)
Updated:  May 11 2008
Original Entry Date:  Jun 15 2007
Impact:   Denial of service via local system
Exploit Included:  Yes  
Version(s): Tested on 6.0.2.614 and 6.0.2.621
Description:   Matousec reported a vulnerability in Kaspersky Internet Security. A local user can cause denial of service conditions.

The software hooks several System Service Descriptor Table (SSDT) functions but does not properly validate user-mode input. Calls to the NtCreateKey, NtCreateProcess, NtCreateProcessEx, NtCreateSection, NtCreateSymbolicLinkObject, NtCreateThread, NtLoadKey2, NtOpenKey, NtOpenProcess functions are affected. A local user can supply specially crafted values to trigger an error in the 'klif.sys' driver and cause the target system to crash.

The vendor was notified on May 14, 2007.

The original advisory is available at:

http://www.matousec.com/info/advisories/Kaspersky-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php

Impact:   A local user can cause the target system to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.kaspersky.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Kaspersky Multiple insufficient argument validation of hooked SSDT

Hello,

We would like to inform you about a vulnerability in Kaspersky Internet Security 6.


Description:

Kaspersky Internet Security hooks many functions in SSDT and in at least nine cases it 
fails to validate arguments that come from the user mode. User calls to NtCreateKey, 
NtCreateProcess, NtCreateProcessEx, NtCreateSection, NtCreateSymbolicLinkObject, 
NtCreateThread, NtLoadKey2, NtOpenKey, NtOpenProcess with invalid argument values can 
cause system crashes because of errors in KIS driver klif.sys. Further impacts of this 
bug (like arbitrary code execution in the kernel mode) were not examined.

Note: A similar vulnerability in klif.sys driver has been published recently by an 
independent security researcher. In that report, the list of vulnerable functions also 
contains NtDeleteValueKey, NtOpenSection and NtQueryValueKey.


Vulnerable software:

    * Kaspersky Internet Security 6.0.2.621
    * Kaspersky Internet Security 6.0.2.614
    * probably all older versions of Kaspersky Internet Security 6
    * possibly older versions of Kaspersky Internet Security and other Kaspersky 
products that use klif.sys driver



More details and a proof of concept including its source code are available here:
http://www.matousec.com/info/advisories/Kaspersky-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php


Regards,

-- 
Matousec - Transparent security Research
http://www.matousec.com/




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC