SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Kaspersky Internet Security Vendors:   Kaspersky Lab
Kaspersky Internet Security URL Parsing Error Lets Remote Users Deny Service
SecurityTracker Alert ID:  1022755
SecurityTracker URL:  http://securitytracker.com/id/1022755
CVE Reference:   CVE-2009-2966   (Links to External Site)
Updated:  Aug 27 2009
Original Entry Date:  Aug 20 2009
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2010 9.0.0.459 (a)
Description:   A vulnerability was reported in Kaspersky Internet Security. A remote user can cause denial of service conditions.

A remote user can create a specially crafted URL that, when processed by the target user's 'avp.exe' process, will cause the process to consume excessive CPU resources.

A demonstration exploit URL is provided:

http://[target]/.................[ .xY where 1024<Y]

The vulnerability can also be exploited via HTML-based e-mail.

Maksymilian Arciemowicz of SecurityReason.com reported this vulnerability.

Impact:   A remote user can cause excessive CPU consumption on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.kaspersky.com/ (Links to External Site)
Cause:   Resource error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
[ Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service ]

Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 10.07.2009
- - Pub.: 19.08.2009

Risk: Medium

Affected Software (tested):
- - Kaspersky Internet Security 2010 9.0.0.459 (a) EN
- - Kaspersky Anti-Virus 2010 9.0.0.463 DE

Original URL:
http://securityreason.com/achievement_securityalert/66


- --- 0.Description ---
Kaspersky Lab is a computer security company, co-founded by Natalia
Kasperskaya and Eugene Kaspersky in 1997, offering anti-virus,
anti-spyware, anti-spam, and anti-intrusion products. Kaspersky Lab is a
privately held company headquartered in Moscow, Russia with regional
offices in Germany, France, the Netherlands, the UK, Poland, Romania,
Sweden, Japan, China, Korea and the USA.

- --- 1. Kaspersky AV/IS 2010 avp.exe Denial of Service ---
The main problem exists in parsing url addresses. If we give a lot of
dots, kaspersky avp.exe proccess, will get 100% of CPU and will block
trafic via browsers.    
Relativistic time to return to normal behavior is very long. In
practice, when we give a large number of dots, kaspesky will not return
to normal behavior.

This example will denial access to the browser and other kaspersky
operations

http://lu.cxib.net/.................[ .xY where 1024<Y]

It can be exploited remotely by html code. (like: send email)

<img src="http://lu.cxib.net/..........................[ more dots ]">

The user who executed the code above, will be deprived of the
possibility of browsing and successive reset the kaspersky.

Tested on:
- - Kaspersky Internet Security 2010 9.0.0.459 (a) (EN) + Windows Vista
Enterprise (EN)
- - Kaspersky Anti-Virus 2010 9.0.0.463 (DE) + Windows XP Home Edition (DE)

0day (18.08.2009) exploit you can find:

http://securityreason.com/downloads/kaspersky.2010.dos.html

This script, will generate <img> tags with different url lenght to block
kaspersky services.

However we can exploit this issue via html email. The method of attack
is simple. The victim need only refer to a faulty address.

- --- 2. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3

- --- 3. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securityreason [d0t} com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com/
http://securityreason.pl/

- --
Best Regards,
- ------------------------
pub   1024D/A6986BD6 2008-08-22
uid                  Maksymilian Arciemowicz (cxib)
<cxib@securityreason.com>
sub   4096g/0889FA9A 2008-08-22

http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----
 
iEYEARECAAYFAkqLQqIACgkQpiCeOKaYa9aLxgCgy3FzzR5xPzU6QgoK1VpHpjur
paQAn3ku0sU5AzHjzjo3N0qq+Kywu7i1
=rQAP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC