SECURITY.NNOV: KAV (AVP) for sendmail format string vulnerability

2001-06-20T00:00:00
ID SECURITYVULNS:DOC:1739
Type securityvulns
Reporter Securityvulns
Modified 2001-06-20T00:00:00

Description

Hello ,

Topic: Format string vulnerability in AVP for sendmail Author: 3APA3A <3APA3A@security.nnov.ru> Affected Software: KAV* for sendmail 3.5.135.2 Vendor: Kaspersky Lab Vendor Notified: 30 May 2001 Risk: High/Average Remotely Exploitable: Yes Impact: DoS/Remote root compromise Released: 06 June 2001 Vendor URL: http://www.kaspersky.com SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

*KAV - "Kaspersky AntiVirus" formerly known as AVP.

Background:

KAV for sendmail is antiviral product of Kaspersky Lab's KAV suit (formerly known as AVP) one of very few commercially available multiplatform antiviral products for servers, workstations, CVP Firewalls and messaging systems (Exchange, Lotus, Sendmail, QMail, Postfix) under DOS, Windows 95/98/ME/NT/2000, OS/2, Linux, FreeBSD, BSDI and soon for Solaris (feel free to contact support@kaspersky.com if you need it for different platform).

Problem:

While testing this software by permission of Kaspersky Lab, format string bug was found in syslog() call in avpkeeper

/usr/local/share/AVP/avpkeeper/avpkeeper

utility.

Impact:

Intruders can cause Denial of Service and potentially can execute code remotely with root or group mail privileges depending on installation (code execution is not trivial, if possible, because format string must conform RFC 2822 e-mail address requirements to bypass sendmail and no source code is available).

Workaround:

Diasable syslog. In avpkeeper.ini set usesyslog=no

Vendor:

Kaspersky Lab was contacted on May, 30. Patched version was delivered in 24 hours, but no alerts were sent to users and no fixes were made available for public download. Vendor was also informed on few potential local race conditions with mktemp()/mkdtemp().

Solution:

Since AVP for Unix products are not open source and are not available for free download please contact support@kaspersky.com to get patches for registered version of KAV/AVP or demo version.

This advisory is being provided to you under the policy documented at http://www.wiretrip.net/rfp/policy.html.

-- http://www.security.nnov.ru /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ | 3APA3A U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)