Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Kaspersky Multiple insufficient argument validation of hooked SSDT funct

from [Matousec - Transparent security Research] Network Security [Permanent Link]
Subject: Kaspersky Multiple insufficient argument validation of hooked SSDT function Vulnerability
Date: Fri, 15 Jun 2007 10:15:06 +0200 
Hello,

We would like to inform you about a vulnerability in Kaspersky Internet 
Security 6.


Description:

Kaspersky Internet Security hooks many functions in SSDT and in at least nine cases it fails to validate arguments that come from the user mode. User calls to NtCreateKey, NtCreateProcess, NtCreateProcessEx, NtCreateSection, NtCreateSymbolicLinkObject, NtCreateThread, NtLoadKey2, NtOpenKey, NtOpenProcess with invalid argument values can cause system crashes because of errors in KIS driver klif.sys. Further impacts of this bug (like arbitrary code execution in the kernel mode) were not examined.

Note: A similar vulnerability in klif.sys driver has been published recently by an independent security researcher. In that report, the list of vulnerable functions also contains NtDeleteValueKey, NtOpenSection and NtQueryValueKey.


Vulnerable software:

    * Kaspersky Internet Security 6.0.2.621
    * Kaspersky Internet Security 6.0.2.614
    * probably all older versions of Kaspersky Internet Security 6
    * possibly older versions of Kaspersky Internet Security and other 
Kaspersky products that use klif.sys driver



More details and a proof of concept including its source code are available 
here:
http://www.matousec.com/info/advisories/Kaspersky-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php


Regards,

--
Matousec - Transparent security Research
http://www.matousec.com/


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Kaspersky Multiple insufficient argument validation of hooked SSDT function Vulnerability, Matousec - Transparent security Research <=
Previous by Date:  Re: [Full-disclosure] Apple Safari: urlbar/window title spoofing, Mark Senior
Next by Date:  rPSA-2007-0126-1 util-linux, rPath Update Announcements
Previous by Thread:  [Full-disclosure] rPSA-2007-0124-1 kernel xen, rPath Update Announcements
Next by Thread:  rPSA-2007-0126-1 util-linux, rPath Update Announcements
Indexes:  [Date] [Thread] [Top] [All Lists]