Thread-topic: iDefense Security Advisory 04.04.07: Kaspersky Internet Security Suite klif.sys Heap Overflow Vulnerability
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of iDefense Labs
> Sent: Thursday, April 05, 2007 3:38 AM
> To: vulnwatch@xxxxxxxxxxxxx;
> full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] iDefense Security Advisory
> 04.04.07: Kaspersky Internet Security Suite klif.sys Heap
> Overflow Vulnerability
> Kaspersky Internet Security Suite klif.sys Heap Overflow Vulnerability
> iDefense Security Advisory 04.03.07
> Apr 03, 2007
> I. BACKGROUND
> Kaspersky Internet Security Suite is a combination of Kaspersky
> anti-virus, anti-spam, and personal firewall in one product. For more
> information see the vendor's website at the following URL.
> II. DESCRIPTION
> Local exploitation of a heap overflow vulnerability in Kaspersky Lab's
> Internet Security Suite klif.sys could allow an attacker to execute
> arbitrary code within kernel context.
> The klif.sys driver is part of the "anti-hacker" proactive protection.
> As part of this defense, the driver hooks and screens various system
> calls, such as registry functions.
> The hook function for the _NtSetValueKey() function is
> vulnerable to an
> integer overflow that leads to a kernel heap overflow. Passing a large
> unsigned value for the data size argument results in an arithmetic
> overflow when calculating the amount of memory to allocate. A copy
> operation into this buffer results in corruption of kernel memory.
> III. ANALYSIS
> Exploitation allows an attacker to execute code with kernel
> This vulnerability lets an attacker overwrite a nearly
> arbitrary amount
> of kernel heap memory with arbitrary data. Exploitation of kernel heap
> based buffer overflows is both difficult and unreliable.
> However, there
> are documented methods for exploiting these types of overflows.
> IV. DETECTION
> iDefense confirmed this vulnerability in Kaspersky Internet Security
> 18.104.22.1681 for Windows. Previous versions may also be affected.
> V. WORKAROUND
> iDefense is currently unaware of any workarounds for this issue.
> VI. VENDOR RESPONSE
> Kaspersky has addressed this vulnerability within Maintenance Pack 2.
> More information is available from the vendor's advisory at the
> following URLs.
> VII. CVE INFORMATION
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE)
> number has not
> been assigned yet.
> VIII. DISCLOSURE TIMELINE
> 01/24/2007 Initial vendor notification
> 03/02/2007 Second vendor notification
> 03/05/2007 Initial vendor response
> 04/03/2007 Coordinated public disclosure
> IX. CREDIT
> The discoverer of this vulnerability wishes to remain anonymous.
> Get paid for vulnerability research
> Free tools, research and upcoming events
> X. LEGAL NOTICES
> Copyright (c) 2007 iDefense, Inc.
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/