DoS vulnerability in Kaspersky driver
Kaspersky's security products contain a driver which hooks into and monitors calls to Windows system functions. However, the driver fails to correctly check the parameters passed, allowing an attacker to crash affected systems by using invalid data. Security services provider MatouSec, who reported this bug, does not rule out the possibility that it could also be used to inject and execute malicious code with system privileges, but has not checked or demonstrated this.
Security products often hook into system functions in order to monitor the computer. By monitoring calls to System Service Descriptor Table (SSDT) functions, it is possible to determine what programs are active on the computer and what they are doing - a behavioural blocker can use this to draw conclusions on dangerous behaviour. This can also be used to protect the security software itself, by forbidding calls which result in changes to the software's own processes.
The Kaspersky driver klif.sys hooks into system functions including NtCreateKey, NtCreateProcess, NtCreateProcessEx, NtCreateSection, NtCreateSymbolicLinkObject, NtCreateThread, NtLoadKey2, NtOpenKey and NtOpenProcess. If a program calls these functions with an invalid value, the computer crashes and restarts. In its bulletin, MatouSec includes a program using which this behaviour can be reproduced. Tests by heise Security using this program reproducibly crashed a fully patched version of Kaspersky's Antivirus 6 under Windows XP.
An advisory from EP_X0FF explains the allegedly very old vulnerability in Kaspersky's driver using the example of the NtOpenProcess function. Kaspersky has reacted by posting its own security advisory and announcing a patch which the company will distribute via automatic update shortly. Kaspersky categorises the risk as low, as it requires a local user to start malicious software manually. According to Kaspersky, the vulnerability does not allow escalation of privileges or execution of external code. Kaspersky Antivirus 6 and 7, Internet Security 6 and 7, Anti-Virus for Windows Workstations 6 and Anti-Virus 6 for Windows Servers under Windows NT to Windows 2003 operating systems are all affected - under Windows Vista the sample program does not crash the system.
The recent glut of vulnerabilities in software which is intended to protect computers has cast the industry in a bad light. Numerous vendors of anti-virus software, including F-Secure, Grisoft and Avira, have recently had to fix security vulnerabilities in their products such as buffer overflows, format string vulnerabilities or simple failure to check user entries, which are frequently down to basic coding errors or lack of attention to detail. Anti-virus software is in the front line in the war against remote attackers and is thus particularly under fire. It is to be hoped that the latest incidents will prompt anti-virus vendors to make their software more secure. Security software is one area where security should be a central focus, including during development.
- Kaspersky Multiple insufficient argument validation of hooked SSDT function Vulnerability, advisory from MatouSec
- Exploiting Kaspersky Antivirus 6.0-7.0, bug report from EP_X0FF
- KLV07-07.Klif.sys calling NtOpenProcess vulnerability, security advisory from Kaspersky