Kaspersky AV/IS 2010 Denial Of Service

2009-08-23T00:00:00
ID PACKETSTORM:80523
Type packetstorm
Reporter Maksymilian Arciemowicz
Modified 2009-08-23T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[ Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service ]  
  
Author: Maksymilian Arciemowicz  
http://SecurityReason.com  
Date:  
- - Dis.: 10.07.2009  
- - Pub.: 19.08.2009  
  
Risk: Medium  
  
Affected Software (tested):  
- - Kaspersky Internet Security 2010 9.0.0.459 (a) EN  
- - Kaspersky Anti-Virus 2010 9.0.0.463 DE  
  
Original URL:  
http://securityreason.com/achievement_securityalert/66  
  
  
- --- 0.Description ---  
Kaspersky Lab is a computer security company, co-founded by Natalia  
Kasperskaya and Eugene Kaspersky in 1997, offering anti-virus,  
anti-spyware, anti-spam, and anti-intrusion products. Kaspersky Lab is a  
privately held company headquartered in Moscow, Russia with regional  
offices in Germany, France, the Netherlands, the UK, Poland, Romania,  
Sweden, Japan, China, Korea and the USA.  
  
- --- 1. Kaspersky AV/IS 2010 avp.exe Denial of Service ---  
The main problem exists in parsing url addresses. If we give a lot of  
dots, kaspersky avp.exe proccess, will get 100% of CPU and will block  
trafic via browsers.  
Relativistic time to return to normal behavior is very long. In  
practice, when we give a large number of dots, kaspesky will not return  
to normal behavior.  
  
This example will denial access to the browser and other kaspersky  
operations  
  
http://lu.cxib.net/.................[<http://lu.cxib.net/.................%5B>.xY  
where 1024<Y]  
  
It can be exploited remotely by html code. (like: send email)  
  
<img src="http://lu.cxib.net/..........................[<http://lu.cxib.net/..........................%5B>more  
dots ]">  
  
The user who executed the code above, will be deprived of the  
possibility of browsing and successive reset the kaspersky.  
  
Tested on:  
- - Kaspersky Internet Security 2010 9.0.0.459 (a) (EN) + Windows Vista  
Enterprise (EN)  
- - Kaspersky Anti-Virus 2010 9.0.0.463 (DE) + Windows XP Home Edition (DE)  
  
0day (18.08.2009) exploit you can find:  
  
http://securityreason.com/downloads/kaspersky.2010.dos.html  
  
This script, will generate <img> tags with different url lenght to block  
kaspersky services.  
  
However we can exploit this issue via html email. The method of attack  
is simple. The victim need only refer to a faulty address.  
  
- --- 2. Greets ---  
sp3x Infospec Chujwamwdupe p_e_a pi3  
  
- --- 3. Contact ---  
Author: SecurityReason.com [ Maksymilian Arciemowicz ]  
Email: cxib {a.t] securityreason [d0t} com  
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
http://securityreason.com/  
http://securityreason.pl/  
  
- --  
Best Regards,  
- ------------------------  
pub 1024D/A6986BD6 2008-08-22  
uid Maksymilian Arciemowicz (cxib)  
<cxib@securityreason.com>  
sub 4096g/0889FA9A 2008-08-22  
  
http://securityreason.com  
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
-----BEGIN PGP SIGNATURE-----  
  
iEYEARECAAYFAkqLQqIACgkQpiCeOKaYa9aLxgCgy3FzzR5xPzU6QgoK1VpHpjur  
paQAn3ku0sU5AzHjzjo3N0qq+Kywu7i1  
=rQAP  
-----END PGP SIGNATURE-----  
`