1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Kaspersky Kl File Exfilt Inst.

HTTP Kaspersky Kl File Exfilt Inst.

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempt to exploit file exfiltration vulnerability through Kaspersky AntiVirus 'KL.Prod60' ActiveX control.

Additional Information

Kaspersky AntiVirus is an antivirus application for desktop and small-business computers.

Kaspersky AntiVirus is prone to an arbitrary-file-exfiltration vulnerability because it contains a file-upload ActiveX control that can be misused by a malicious site.

Specifically, the vulnerability resides in the 'KL.Prod60' ActiveX control. The control contains methods named 'DeleteFile', 'StartBatchUploading', 'StartStrBatchUploading', and 'StartUploading' that can be abused by a malicious site to cause an upload of arbitrary client-side files. An attacker can initiate a client-to-server anonymous FTP transfer to exfiltrate arbitrary system files from the vulnerable client.

The vulnerable ActiveX control is identified by the CLSID of: {D9EC22E7-1A86-4F7C-8940-0303AE5D6756}.

Successful attacks performed against affected applications may result in the loss of confidential information. This may aid in other attacks.

This issue affects Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security 6.0.

Affected

  • Kaspersky Anti-Virus 6.0, 6.0.Maintenance Pack 2
  • Kaspersky Internet Security 6.0, 6.0.Maintenance Pack 2

Response

The vendor has removed the vulnerable libraries from the latest maintenance release. Please contact the vendor for details.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube