Kaspersky Lab
ShineShadow Security Report 16122009-15
TITLE
Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
BACKGROUND
Due to its high level of professionalism and dedication, Kaspersky Lab has become a market leader in the development of antivirus protection. The company’s main product, Kaspersky Anti-Virus, regularly receives top awards in tests conducted by respected international research centers and IT publications. Kaspersky Lab was the first to develop many technological standards in the antivirus industry, including full-scale solutions for Linux, Unix and NetWare, a new-generation heuristic analyzer designed to detect newly emerging viruses, effective protection against polymorphic and macro viruses, continuously updated antivirus databases and a technique for detecting viruses in archived files.
________________________________________________________________________
From the facepalm department
Kaspersky and the silent fix that wasn't
PDF Evasion
________________________________________________________________________
Release mode: Forced disclosure
Ref : [TZO-30-2009] - Kaspersky PDF evasion (Forced disclosure)
WWW : http://blog.zoller.lu/2009/05/advisory-kaspersky-generic-pdf-evasion.html
Kaspersky Web Scanner ActiveX Format String Vulnerability
iDefense Security Advisory 10.10.07
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 10, 2007
I. BACKGROUND
Kaspersky Lab Online Virus Scanner is a free online virus scanner
service, enabling a user to scan their system for malicious code via
1. Background
Founded in 1997, Kaspersky Lab is an international information security
software vendor. Kaspersky Lab is headquartered in Moscow, Russia and
has regional offices in the UK, France, Germany, the Netherlands,
Poland, Japan, China, Korea, Romania and the United States. Further
expanding the company's reach is its large partner network comprising
over 500 companies globally.
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 04, 2008
I. BACKGROUND
aspersky Internet Security Suite is a combination of Kaspersky
anti-virus, anti-spam, and personal firewall in one product. For more
information see the vendor's website at the following URL.
http://www.kaspersky.com/
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 04, 2008
I. BACKGROUND
aspersky Internet Security Suite is a combination of Kaspersky
anti-virus, anti-spam, and personal firewall in one product. For more
information see the vendor's website at the following URL.
http://www.kaspersky.com/
Hello Bugtraq.
I write to notify a vulnerability in Kaspersky Antivirus that allows
the code injection in the process that is executed in user's context,
allowing:
1. The modification, creation and elimination of the values and keys
in the Registration with respect to the configuration of the
antivirus.
Date: October 14th - Conf Day 2
* Special Keynote Panel Discussion - "The Future of Mobile Malware & Cloud Computing"
* Keynote Panelist 1: Mikko Hypponen (F-Secure)
* Keynote Panelist 2: Paul Ducklin (Sophos)
* Keynote Panelist 3: Andrey Nishikin (Kaspersky Lab)
* Keynote Panelist 4: Dr. Jose Nazario (Arbor Networks)
Moderator: Dr. Dinesh Nair
Event Website:
brlc> Microsoft was informed on 29.07.08 and declined to comment on this issue.
brlc> == Effects on Virusscanners ==
brlc> NOD32 takes several minutes of kerneltime to scan the multikill mails. ESET
brlc> did not comment on this issue and was informed on 01.08.08.
brlc> Kaspersky Internet Security Suite takes several minutes to scan the
brlc> multikill mail. Kaspersky was informed on 29.07.08, confirmed the issue and
brlc> promised to fix the problem.
brlc> Norton Antivirus takes several minutes to scan the multikill mails. Norton
brlc> was informed on informed 01.08.08 and answered promptly and politely.
brlc> Norton promised not to fix the problem, since it would not qualify as a
Microsoft was informed on 29.07.08 and declined to comment on this issue.
== Effects on Virusscanners ==
NOD32 takes several minutes of kerneltime to scan the multikill mails. ESET
did not comment on this issue and was informed on 01.08.08.
Kaspersky Internet Security Suite takes several minutes to scan the
multikill mail. Kaspersky was informed on 29.07.08, confirmed the issue and
promised to fix the problem.
Norton Antivirus takes several minutes to scan the multikill mails. Norton
was informed on informed 01.08.08 and answered promptly and politely.
Norton promised not to fix the problem, since it would not qualify as a
On Thu, 7 Aug 2008, Juha-Matti Laurio wrote:
> It has the following mechanism according to McAfee:
> http://vil.nai.com/vil/content/v_148955.htm
>
> They use name W32/Koobface.worm and Kaspersky (Kaspersky Labs originally
> discovered this threat) uses name Net-Worm.Win32.Koobface.b.
This is going to *possibly* cause support line bottlenecks tomorrow.
This worm is somewhat similar to zlob, here is a link to a kaspersky paper
/*
Program : Kaspersky Anti-Virus 2010 9.0.0.463
Homepage : http://www.kaspersky.com
Discovery : 2009/09/29
Author Contacted : 2009/10/01
Patch Updated : 2009/11/16
Found by : Heurs
This Advisory : Heurs
Contact : s.leberre@sysdream.com
It has the following mechanism according to McAfee:
http://vil.nai.com/vil/content/v_148955.htm
They use name W32/Koobface.worm and Kaspersky (Kaspersky Labs originally discovered this threat) uses name Net-Worm.Win32.Koobface.b.
More information here too:
http://www.pcmag.com/article2/0,2817,2327272,00.asp
Juha-Matti
Sunbelt 3.1.1832.2
TheHacker 6.3.1.2.174
TrendMicro 8.700.0.1004
ViRobot 2008.12.4.1499
the things that must be considered that the POC it's variant from exploit to exploit(some times
Kaspersky and the other famous AV Sofware can be deceive).
Proof Of Concept:
as i said the exploit are based on the magic of magic byte methode we will first add the MZ Header to the HTML Exploit and change the exstention to txt or jpg or non extension,the exploit is compatible with IE6 and IE7 because IE6&7 execute the HTML Event if it's in txt file or non extension files.
so the exploit it's with corporate of IE6&7 :).
virustotal result of MS Internet Explorer 6/7 (XML Core Services) Remote Code Execution Exploit
http://www.virustotal.com/analisis/2fce2b49876e27b4144fd39be466200e
* DefenseWall Personal Firewall 3.00
* Dr.Web Security Space Pro 6.0.0.03100
* ESET Smart Security 4.2.35.3
* F-Secure Internet Security 2010 10.00 build 246
* G DATA TotalCare 2010
* Kaspersky Internet Security 2010 9.0.0.736
* KingSoft Personal Firewall 9 Plus 2009.05.07.70
* Malware Defender 2.6.0
* McAfee Total Protection 2010 10.0.580
* Norman Security Suite PRO 8.0
* Norton Internet Security 2010 17.5.0.127
TrendMicro 8.700.0.1004
VBA32 3.12.8.5
ViRobot 2008.9.12.1375
VirusBuster 4.5.11.0
the things that must be considered that the POC it's variant from exploit to exploit(some times
Kaspersky and the other famous AV Sofware can be deceive).
Proof Of Concept:
as i said the exploit are based on the magic of magic byte methode we will first add the MZ Header to the HTML Exploit and change the exstention to txt or jpg or non extension,the exploit is compatible with IE6 and IE7 because IE6&7 execute the HTML Event if it's in txt file or non extension files.
so the exploit it's with corporate of IE6&7 :).
virustotal result of MS Internet Explorer (VML) Remote Buffer Overflow Exploit (XP SP2).
http://www.virustotal.com/fr/analisis/062ec3b8d8b88e99865f798cc08b0718
>Microsoft Outlook Express 6, Version 6.00.2900.5512
>Opera Version: 9.51 Build: 10081 System: Windows XP
>Incredimail Build ID: 5853710 Setup ID: 7 Pn: 92977368
>Norton Internet Security Version 15.5.0.23
>ESet NOD32 2.70.0039.0000
>Kaspersky Internet Security 2009; Databases from 23.07.2008
>
>Slightly affected:
>Mozilla Thunderbird Version 2.0.14 (20080421)
>
>Not vulnerable:
application security problem and provide information for statistical
analysis of web applications security incidents.
The following incidents where added to WHID last week:
* WHID 2009-19: Kaspersky site breached using SQL injection, sensitive data
exposed (http://whid.webasppsec.com/whid/2009/19/kaspersky_site_breached)
* WHID 2009-18: phpBB web site hacked using LFI
(http://whid.webasppsec.com/whid/2009/18/phpbb_web_site_hacked_using_lfi)
* WHID 2009-17: Passwords are optional at SpeedDate
(http://whid.webasppsec.com/whid/2009/17/passwords_optional_at_speeddate)
application security problem and provide information for statistical
analysis of web applications security incidents.
The following incidents where added to WHID last week:
* WHID 2009-19: Kaspersky site breached using SQL injection, sensitive data
exposed (http://whid.webappsec.org/whid/2009/19/kaspersky_site_breached)
* WHID 2009-18: phpBB web site hacked using LFI
(http://whid.webappsec.org/whid/2009/18/phpbb_web_site_hacked_using_lfi)
* WHID 2009-17: Passwords are optional at SpeedDate
(http://whid.webappsec.org/whid/2009/17/passwords_optional_at_speeddate)
Vulnerable software:
* BlackICE PC Protection 3.6.cqn
* G DATA InternetSecurity 2007
* Ghost Security Suite beta 1.110 and alpha 1.200
* Kaspersky Internet Security 7.0.0.125
* Norton Internet Security 2008 15.0.0.60
* Online Armor Personal Firewall 2.0.1.215
* Outpost Firewall Pro 4.0.1025.7828
* Privatefirewall 5.0.14.2
* Process Monitor 1.22
|
