Thread-topic: Kaspersky Web Scanner ActiveX Format String Vulnerability
> -----Original Message-----
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Wednesday, October 10, 2007 10:27 PM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 10.10.07: Kaspersky Web
> Scanner ActiveX Format String Vulnerability
> Kaspersky Web Scanner ActiveX Format String Vulnerability
> iDefense Security Advisory 10.10.07
> Oct 10, 2007
> I. BACKGROUND
> Kaspersky Lab Online Virus Scanner is a free online virus scanner
> service, enabling a user to scan their system for malicious code via
> their Web browser. This online service can be accessed at following
> II. DESCRIPTION
> Remote exploitation of a format string vulnerability in
> Kaspersky Lab's
> Online Scanner virus scanner service could allow an attacker
> to execute
> arbitrary code within the security context of the targeted user.
> This vulnerability specifically exists in the Kaspersky online virus
> scanner ActiveX control. The ActiveX control in question has the
> following identifiers:
> ProgID: kavwebscan.CKAVWebScan
> ClassID: 0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75
> File: kavwebscan.dll
> This ActiveX control passes attacker supplied data as the
> format string
> parameter of various string formatting functions. This is presumably
> done to enable displaying localized messages from within the
> HTML page.
> By rendering a specially crafted web page using this ActiveX
> control, a
> heap based buffer overflow could occur.
> III. ANALYSIS
> Exploitation of this vulnerability would allow a remote attacker to
> execute arbitrary code within the context of the targeted user. To
> exploit this vulnerability, an attacker would need to persuade the
> victim into viewing a malicious website.
> This ActiveX control is installed during the use of the
> Kaspersky Online
> Virus Scanner. Once the vulnerable ActiveX control is
> installed, it will
> remain installed until they explicitly remove it. If the user doesn't
> have Kaspersky Online Scanner Control installed, the exploit
> page could
> prompt the user to install this ActiveX.
> Though this is a format string vulnerability, the traditional "%n"
> technique will not work. This is due to this ActiveX being compiled
> with Microsoft Visual Studio 2005, in which the "%n" format specifier
> is disabled by default. However, the attacker could still exploit the
> vulnerability using other methods.
> IV. DETECTION
> iDefense has confirmed the existence of this vulnerability within
> version 220.127.116.11 of Kaspersky Lab's kavwebscan.dll. Previous versions
> are suspected to be vulnerable.
> V. WORKAROUND
> Setting the kill-bit for this control will prevent it from
> being loaded
> within Internet Explorer. However, doing so will also prevent
> legitimate use of the control.
> VI. VENDOR RESPONSE
> Kaspersky Lab has addressed this vulnerability by publishing a new
> version of the vulnerable ActiveX control. For more information,
> consult Kaspersky's press release at the following URL.
> VII. CVE INFORMATION
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2007-3675 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
> VIII. DISCLOSURE TIMELINE
> 06/20/2007 Initial vendor notification
> 06/21/2007 Initial vendor response
> 10/10/2007 Coordinated public disclosure
> IX. CREDIT
> This vulnerability was reported to iDefense by Stephen Fewer
> of Harmony
> Security (www.harmonysecurity.com).
> Get paid for vulnerability research
> Free tools, research and upcoming events
> X. LEGAL NOTICES
> Copyright (c) 2007 iDefense, Inc.
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> To unsubscribe, go here: