Friday, August 26, 2016

Vulnerability Spotlight: Kernel Information Leak & Multiple DOS Issues Within Kaspersky Internet Security Suite

Vulnerability discovered by Piotr Bania and Marcin ‘Icewall’ Noga of Cisco Talos.


Talos has discovered multiple vulnerabilities in Kaspersky’s Internet Security product which can be used by an attacker to cause a local denial of service attack or to leak memory from any machine running Kaspersky Internet Security software.


To provide anti-virus functionality, Kaspersky’s software hooks into the Windows API via a driver named KLIF. Talos has identified two vulnerabilities in the way that the driver handles intercepted NtUserCreateWindowEx and NtAdjustTokenPrivileges calls. In both cases a malicious application on a machine with Kaspersky’s KLIF driver installed is able to execute a malicious API call using invalid parameters. This can cause an attempt to access inaccessible memory by the driver resulting in a system crash.

A further local denial of service attack is possible through Kaspersky’s KL1 driver. A malicious user can send a specially crafted IOCTL call to the KL1 driver. Under certain conditions, this can causing the driver to read memory outside of an allocated buffer. This may provoke a memory access violation resulting in a system crash.

Under certain circumstances a specially crafted IOCTL call can be used to leak kernel memory content to the userland via a weak implementation of the KlDiskCtl service in the kldisk.sys driver. An attacker might leverage this to get security relevant information from the kernel address space and combine this knowledge with other vulnerabilities to exploit the local system e.g. subverting security features like address space layout randomization (ASLR).

The vulnerabilities affect Kaspersky Internet Security 16.0.0, KLIF driver version, but may affect other versions of the software too. Since anti-virus software runs with low level privileges on any system, vulnerabilities in these software are potentially very interesting for attackers. Although these vulnerabilities are not particularly severe, administrators should be aware that security systems can be used by threat actors as part of an attack, and keep such systems fully patched.

More details can be found in the following vulnerability reports:

As part of our commitment to responsible disclosure, on discovering the vulnerabilities we notified Kaspersky. We have ensured that a patch to remedy the vulnerabilities was available before publication.


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort rules: 39047-39048, 39078-39079, 38849-38850

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.