- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Kaspersky Web Scanner ActiveX Format String Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.kaspersky.com/virusscanner/> Kaspersky Lab Online Virus
Scanner is a free online virus scanner service, enabling a user to scan
their system for malicious code via their Web browser.
Remote exploitation of a format string vulnerability in Kaspersky Lab's
Online Scanner virus scanner service could allow an attacker to execute
arbitrary code within the security context of the targeted user.
DETAILS
Vulnerable Systems:
* Kaspersky Lab's kavwebscan.dll version 5.0.93.0.
* Previous versions are suspected to be vulnerable.
This vulnerability specifically exists in the Kaspersky online virus
scanner ActiveX control. The ActiveX control in question has the following
identifiers:
ProgID: kavwebscan.CKAVWebScan
ClassID: 0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75
File: kavwebscan.dll
This ActiveX control passes attacker supplied data as the format string
parameter of various string formatting functions. This is presumably done
to enable displaying localized messages from within the HTML page. By
rendering a specially crafted web page using this ActiveX control, a heap
based buffer overflow could occur.
Exploitation of this vulnerability would allow a remote attacker to
execute arbitrary code within the context of the targeted user. To exploit
this vulnerability, an attacker would need to persuade the victim into
viewing a malicious website.
This ActiveX control is installed during the use of the Kaspersky Online
Virus Scanner. Once the vulnerable ActiveX control is installed, it will
remain installed until they explicitly remove it. If the user doesn't have
Kaspersky Online Scanner Control installed, the exploit page could prompt
the user to install this ActiveX.
Though this is a format string vulnerability, the traditional "%n"
technique will not work. This is due to this ActiveX being compiled with
Microsoft Visual Studio 2005, in which the "%n" format specifier is
disabled by default. However, the attacker could still exploit the
vulnerability using other methods.
Workaround:
Setting the kill-bit for this control will prevent it from being loaded
within Internet Explorer. However, doing so will also prevent legitimate
use of the control.
Vendor Status:
Kaspersky Lab has addressed this vulnerability by publishing a new version
of the vulnerable ActiveX control. For more information, consult
Kaspersky's press release at the following URL.
<http://www.kaspersky.com/news?id=207575572>
http://www.kaspersky.com/news?id=207575572
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3675>
CVE-2007-3675
Disclosure Timeline:
* 06/20/2007 - Initial vendor notification
* 06/21/2007 - Initial vendor response
* 10/10/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=606>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=606
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment