Thread-topic: Kaspersky Web Scanner ActiveX Format String Vulnerability
> -----Original Message-----
> From:
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@idefens
> e.com
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Wednesday, October 10, 2007 10:27 PM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 10.10.07: Kaspersky Web
> Scanner ActiveX Format String Vulnerability
>
> Kaspersky Web Scanner ActiveX Format String Vulnerability
>
> iDefense Security Advisory 10.10.07
>
> Oct 10, 2007
>
> I. BACKGROUND
>
> Kaspersky Lab Online Virus Scanner is a free online virus scanner
> service, enabling a user to scan their system for malicious code via
> their Web browser. This online service can be accessed at following
> URL.
>
>
>
> II. DESCRIPTION
>
> Remote exploitation of a format string vulnerability in
> Kaspersky Lab's
> Online Scanner virus scanner service could allow an attacker
> to execute
> arbitrary code within the security context of the targeted user.
>
> This vulnerability specifically exists in the Kaspersky online virus
> scanner ActiveX control. The ActiveX control in question has the
> following identifiers:
>
> ProgID: kavwebscan.CKAVWebScan
> ClassID: 0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75
> File: kavwebscan.dll
>
> This ActiveX control passes attacker supplied data as the
> format string
> parameter of various string formatting functions. This is presumably
> done to enable displaying localized messages from within the
> HTML page.
> By rendering a specially crafted web page using this ActiveX
> control, a
> heap based buffer overflow could occur.
>
> III. ANALYSIS
>
> Exploitation of this vulnerability would allow a remote attacker to
> execute arbitrary code within the context of the targeted user. To
> exploit this vulnerability, an attacker would need to persuade the
> victim into viewing a malicious website.
>
> This ActiveX control is installed during the use of the
> Kaspersky Online
> Virus Scanner. Once the vulnerable ActiveX control is
> installed, it will
> remain installed until they explicitly remove it. If the user doesn't
> have Kaspersky Online Scanner Control installed, the exploit
> page could
> prompt the user to install this ActiveX.
>
> Though this is a format string vulnerability, the traditional "%n"
> technique will not work. This is due to this ActiveX being compiled
> with Microsoft Visual Studio 2005, in which the "%n" format specifier
> is disabled by default. However, the attacker could still exploit the
> vulnerability using other methods.
>
> IV. DETECTION
>
> iDefense has confirmed the existence of this vulnerability within
> version 5.0.93.0 of Kaspersky Lab's kavwebscan.dll. Previous versions
> are suspected to be vulnerable.
>
> V. WORKAROUND
>
> Setting the kill-bit for this control will prevent it from
> being loaded
> within Internet Explorer. However, doing so will also prevent
> legitimate use of the control.
>
> VI. VENDOR RESPONSE
>
> Kaspersky Lab has addressed this vulnerability by publishing a new
> version of the vulnerable ActiveX control. For more information,
> consult Kaspersky's press release at the following URL.
>
>
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2007-3675 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 06/20/2007 Initial vendor notification
> 06/21/2007 Initial vendor response
> 10/10/2007 Coordinated public disclosure
>
> IX. CREDIT
>
> This vulnerability was reported to iDefense by Stephen Fewer
> of Harmony
> Security (www.harmonysecurity.com).
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2007 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> _______________________________________________
> To unsubscribe, go here:
>
>
