Thread-topic: iDefense Security Advisory 04.04.07: Kaspersky AntiVirus SysInfo ActiveX Control Information Disclosure Vulnerability
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of iDefense Labs
> Sent: Thursday, April 05, 2007 3:38 AM
> To: vulnwatch@xxxxxxxxxxxxx;
> full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] iDefense Security Advisory
> 04.04.07: Kaspersky AntiVirus SysInfo ActiveX Control
> Information Disclosure Vulnerability
>
> Kaspersky AntiVirus SysInfo ActiveX Control Information Disclosure
> Vulnerability
>
> iDefense Security Advisory 04.04.07
>
> Apr 04, 2007
>
> I. BACKGROUND
>
> Kaspersky AntiVirus offers comprehensive protection from computer
> viruses and malware threats. More information can be found on the
> vendors site at the following URL.
>
>
>
> II. DESCRIPTION
>
> Remote exploitation of a information disclosure vulnerability in
> Kaspersky AntiVirus 6 could allow malicious websites to steal
> files off
> of a user's machine.
>
> The vulnerability specifically lays with in the following ActiveX
> Control:
>
> ProgID: KL.SysInfo
> Clsid: BA61606B-258C-4021-AD27-E07A3F3B91DB
> File: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus
> 6.0\AxKLSysInfo.dll
> Version: 5.0.5.0
>
> This control includes a method called "StartUploading" which allows
> malicious web scripts to perform an anonymous FTP transfer of any file
> they specify off of the victims machine.
>
> III. ANALYSIS
>
> Exploitation of this vulnerability allows attackers to steal
> files from
> a victim's computer.
>
> This vulnerability can be triggered by a malicious website.
> Users would
> be required to have a vulnerable version of the target software
> installed and be lured to a malicious site.
>
> No dialogs, warnings or user action is required to perform
> the transfer.
>
> IV. DETECTION
>
> iDefense has confirmed the existence of this vulnerability in version
> 6.0 of Kaspersky Antivirus.
>
> V. WORKAROUND
>
> Setting the kill-bit for the target ActiveX control will prevent
> exploitation via Internet Explorer.
>
> VI. VENDOR RESPONSE
>
> Kaspersky has addressed this vulnerability by removing the vulnerable
> libraries upon installation of Maintenance Pack 2. More information is
> available from the vendor's advisory at the following URL.
>
>
>
> VII. CVE INFORMATION
>
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE)
> number has not
> been assigned yet.
>
> VIII. DISCLOSURE TIMELINE
>
> 12/12/2006 Initial vendor notification
> 12/12/2006 Initial vendor response
> 04/04/2007 Coordinated public disclosure
>
> IX. CREDIT
>
> This vulnerability was reported to iDefense by Peter Vreugdenhil.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2007 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -
>
