SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
About the Archives
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Security)  >  Kaspersky Anti-Virus Vendors:  Kaspersky Lab
Kaspersky Anti-Virus Lets Remote Users Crash the Process and May Give Remote Users Root Level Access to the Server
Date:  Jun 21 2001 14:50 (UTC/GMT)
Impact:  Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Advisory:  SECURITY.NNOV
Description:  SECURITY.NNOV issued an advisory warning of a vulnerability in Kaspersky Anti-Virus that allows a remote user to cause the anti-virus product to crash or to obtain privileges on the server (possibly including root-level privileges).


The vulnerability is reportedly due to a format string bug in a syslog() call in the avpkeeper utility (/usr/local/share/AVP/avpkeeper/avpkeeper).

A remote user can cause the process to crash by sending a specially crafted e-mail message. It may also be possible for a remote user to cause arbitrary code to be executed by the product, however this has not been demonstrated. The report states that code execution is a non-trivial exploit, if it is even possible, because the format string must conform to RFC 2821 e-mail address requirements. If arbitrary code is executed, it may be executed with root privileges or with mail group privileges, depending on how the product was installed.
Impact:  A remote user can cause the process to crash by sending a specially formatted e-mail message (that the process will scan for viruses). A remote user may potentially be able to cause arbitrary code to be executed with root level privileges or with mail group privileges (depending on how the product was installed).
Solution:  The vendor has developed a patch. Contact the developer to obtain the patch. As a workaround, the report suggests disabling syslog by configuring avpkeeper.ini to "set usesyslog=no".
Vendor URL:  www.kaspersky.com/ (Links to External Site)
Cause:  Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (FreeBSD)
Reported By:  3APA3A <3APA3A@security.nnov.ru>
Message History:   None.

 Source Message Contents
Date:  Thu, 21 Jun 2001 10:21:24 -0400
From:  3APA3A <3APA3A@security.nnov.ru>
Subject:  Format string vulnerability in AVP for sendmail

 

Topic:                    Format string vulnerability in AVP for
sendmail
Author:                   3APA3A <3APA3A@security.nnov.ru>
Affected Software:        KAV* for sendmail
3.5.135.2
Vendor:                   Kaspersky Lab
Vendor Notified:          30 May 2001
Risk:                     High/Average
Remotely Exploitable:     Yes
Impact:                   DoS/Remote root compromise
Released:                 06 June 2001
Vendor URL:              http://www.kaspersky.com

SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

*KAV - "Kaspersky Antivirus" formerly known as AVP.

Background:

KAV  for  sendmail  is  antiviral  product of Kaspersky Lab's KAV suit
(formerly  known  as  AVP)  one  of  very  few commercially available
multiplatform   antiviral  products  for servers,  workstations,  CVP
Firewalls  and messaging systems (MS Exchange, Lotus, Sendmail, QMail,
Postfix)  under  DOS,  Windows 95/98/ME/NT/2000, OS/2, Linux, FreeBSD,
BSDI  and soon for Solaris (feel free to contact support@kaspersky.com
if you need it for different platform).

Problem:

While  testing  this  software  together  with Kaspersky Lab Test team
format  string  bug  was  found  by SECURITY.NNOV in syslog() call in
avpkeeper /usr/local/share/AVP/avpkeeper/avpkeeper utility.

Impact:

Intruders can cause Denial of Service and potentially can execute code
remotely  with root or group mail privileges depending on installation
(code  execution  is  not  trivial, if possible, because format string
must  conform  RFC 2821 e-mail address requirements and no source code
is available).

Workaround:

Diasable syslog. In avpkeeper.ini set usesyslog=no


Vendor:

Kaspersky  Lab was contacted on May, 30.  Patched version was delivered
in  24  hours, but no alerts were sent to users and no fixes were made
available  for  public  download.  Vendor  was also  informed  on few
potential local race conditions with mktemp()/mkdtemp() functions.

Solution:

Since  AVP for Unix products are not open source and are not available
for  free download please contact support@kaspersky.com to get patches
for registered version of KAV/AVP.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2001, SecurityGlobal.net LLC