3 vulnerabilities fixed in Kaspersky Anti-Virus for Workstation, File Server version 6.0
Pertains to the following components:
- Kaspersky Anti-Virus for Workstations
- Kaspersky Anti-Virus for File Server
- Kaspersky AV Library Remote Heap Overflow
- klif.sys Heap Overflow Vulnerability
- KLIF Local Privilege Escalation Vulnerability
Kaspersky AV Library Remote Heap Overflow1
This vulnerability affected systems which are running the Kaspersky Anti-Virus Engine. User interaction is not required to exploit this vulnerability.
The OnDemand Scanner incorrectly parses specially crafted ARJ archives inside the arj.ppl module. This results in a memory overrun. Most often the product simply crashes. The corruption potentially can be exploited to execute arbitrary code without user interaction. Any products using arj.ppl are vulnerable.
klif.sys Heap Overflow Vulnerability 2
Locally executed code can write some special values into registry that hangs klif.sys driver, part of the proactive protection. The driver hooks and screens certain system calls, including registry functions. One of the hook functions is vulnerable to an integer overflow that leads to a kernel heap overflow. If a large unsigned value for the data size argument is passed an arithmetic overflow occurs when the amount of memory to allocate is calculated. A copy operation into this buffer causes a corruption of kernel page pool memory.
KLIF Local Privilege Escalation Vulnerability
This vulnerability allows locally executed code to receive Ring-0 privileges through klif.sys unsafe code. It requires the user to execute code. The vulnerability is local and code should first appear on user's computer.
All these vulnerabilities have been fixed in the version 6.0.
2Kaspersky would like to thank iDefence (http://labs.idefense.com) for reporting this issue.