[NEWS] Kaspersky AntiVirus UPX File Decompression DoS

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Kaspersky AntiVirus UPX File Decompression DoS
------------------------------------------------------------------------


SUMMARY

<http://www.kaspersky.com/> Kaspersky Antivirus is a popular client and
gateway virus scanner for Unix and Windows. UPX, the ultimate packer for
executables, is a method for compressing executable files to reduce their
size on disk.

Remote exploitation of a denial of service (DoS) vulnerability in
Kaspersky Lab's Antivirus could allow an attacker to conduct a DoS attack
on a targeted host.

DETAILS

Vulnerable Systems:
* Kaspersky Labs Antivirus Engine version 6.0.1.411 for Windows.
* Kaspersky Labs Antivirus Engine version 5.5-10 for Linux.
* Previous versions may also be affected.
* Any products that use the scanning engine are also affected, which
includes the Kaspersky e-mail gateway scanner.

The antivirus engine is vulnerable to a DoS condition when processing an
executable packed with UPX compression. Malformed compressed data causes
the decompression routine to enter an infinite loop. Specifically, a
negative data offset results in the same compressed data chunk being
processed endlessly.

Exploitation allows an attacker to conduct a DoS attack.

If this attack is conducted against an e-mail gateway running Kaspersky,
legitimate clients may be unable to send e-mail through the server.

The infinite loop being executed consists of a short sequence of
instructions, which results in maximum CPU usage. On a client desktop, the
infinite loop will render the machine nearly unusable. On a server, it
severely degrades the quality of service of other applications running.

Vendor Status:
Kaspersky Lab reports that it has fixed this vulnerability as of February
7th, 2007. In addition, they stated the following.
"There is no need to download any special patches. All installed Kaspersky
Lab products are updated automatically through the regular
signature-update functionality. There is not need to contact Kaspersky Lab
to obtain this fix."

Disclosure Timeline:
* 01/24/2007 - Initial vendor notification
* 03/01/2007 - Initial vendor response
* 03/02/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=485>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=485



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages