OverviewTalos has discovered multiple vulnerabilities in Kaspersky’s Internet Security product which can be used by an attacker to cause a local denial of service attack or to leak memory from any machine running Kaspersky Internet Security software.
DetailsTo provide anti-virus functionality, Kaspersky’s software hooks into the Windows API via a driver named KLIF. Talos has identified two vulnerabilities in the way that the driver handles intercepted NtUserCreateWindowEx and NtAdjustTokenPrivileges calls. In both cases a malicious application on a machine with Kaspersky’s KLIF driver installed is able to execute a malicious API call using invalid parameters. This can cause an attempt to access inaccessible memory by the driver resulting in a system crash.
A further local denial of service attack is possible through Kaspersky’s KL1 driver. A malicious user can send a specially crafted IOCTL call to the KL1 driver. Under certain conditions, this can causing the driver to read memory outside of an allocated buffer. This may provoke a memory access violation resulting in a system crash.