SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   AhnLab V3 Vendors:   AhnLab, Inc.
AhnLab V3 DeviceIoControl() Authentication Error Lets Local Users Gain Elevated Privileges and ACE Archive Bugs Let Remote Users Create Arbitrary Files or Execute Arbitrary Code
SecurityTracker Alert ID:  1014908
SecurityTracker URL:  http://securitytracker.com/id/1014908
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 15 2005
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 6.0.0.457
Description:   Several vulnerabilities were reported in AhnLab V3. A local user can gain elevated privileges on the target system. A remote user may be able to cause files to be written to the system or arbitrary code to be executed on the system.

The 'v3flt2k.sys' real-time scanning process does not authenticate 'DeviceIoControl()' commands. A local user can send specially crafted DeviceIoControl requests to disable the scanning engine or to execute 'explorer.exe' with System level privileges.

The software does not properly process compressed ACE archives. A remote user can create an ACE archive with a compressed file that has a specially crafted filename. When the file is decompressed and scanned, a stack overflow may be triggered. Arbitrary code can be executed on the target system if compressed file scanning is enabled.

A remote user can create a specially crafted archive to exploit a directory traversal flaw in the archive decompression library to write files to arbitrary directories on the target system. An archive with a compressed file that has directory traversal characters in the filename can trigger the vulnerability when the archive is scanned.

The AhnLab V3Pro 2004 (called AhnLab V3 VirusBlock 2005 in certain markets) and AhnLab V3Net for Windows Server 6.0 products are affected.

The vendor was notified on Jun 15, 2005.

Tan Chew Keong of Secunia Research discovered this vulnerability.
Impact:   A local user can gain elevated privileges on the target system.

A remote user may be able to cause files to be written to the system.

A remote user may be able to cause arbitrary code to be executed on the system.
Solution:   The vendor has issued a fixed version (6.0.0.457), available via the online Smart Update Utility.

The vendor's advisory is available at:

http://info.ahnlab.com/english/advisory/01.html
Vendor URL:  info.ahnlab.com/english/advisory/01.html (Links to External Site)
Cause:   Authentication error, Boundary error, Input validation error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Thu, 15 Sep 2005 14:22:48 +0200
Subject:  Secunia Research: Ahnlab V3 Antivirus Multiple Vulnerabilities

====================================================================== 

                     Secunia Research 15/09/2005

          - Ahnlab V3 Antivirus Multiple Vulnerabilities -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

====================================================================== 
1) Affected Software 

AhnLab V3Pro 2004 (Build 6.0.0.383)
AhnLab V3 VirusBlock 2005 (Build 6.0.0.383)
AhnLab V3Net for Windows Server 6.0 (Build 6.0.0.383)

Prior versions may also be affected.

====================================================================== 
2) Severity 

Rating: Highly critical
Impact: System access
        Privilege escalation
        Security bypass
Where:  Remote

====================================================================== 
3) Description of Vulnerability

Secunia research has discovered some vulnerabilities in AhnLab V3
Antivirus, which can be exploited by malicious, local users
to gain escalated privileges, or by malicious people to compromise a 
vulnerable system.

1) The real-time scan driver, v3flt2k.sys, does not validate the
source of received "DeviceIoControl()" commands. This can be
exploited by non-administrative users to run explorer.exe with
SYSTEM privileges, or to disable the real-time scan engine, via 
specially crafted DeviceIoControl requests. 

2) A boundary error in the ACE archive decompression library can be
exploited to cause a stack-based buffer overflow when a malicious
ACE archive containing a compressed file with an overly long 
filename is scanned.

Successful exploitation allows execution of arbitrary code, but
requires that compressed file scanning is enabled.

3) A directory traversal error in the archive decompression library
can be exploited to write files to arbitrary directories when a
malicious archive containing compressed files with directory
traversal sequences in their filenames is scanned.

Vulnerability #2 and #3 are related to:
SA14359

====================================================================== 
4) Solution 

Update to version 6.0.0.457 via online update.

====================================================================== 
5) Time Table 

15/06/2005 - Initial vendor notification.
16/06/2005 - Initial vendor response.
12/08/2005 - Received patch for testing.
15/08/2005 - Notified vendor of vulnerabilities in ACE archive
             handling.
31/08/2005 - Received patch for testing.
15/09/2005 - Public disclosure.

====================================================================== 
6) Credits 

Discovered by Tan Chew Keong, Secunia Research.

====================================================================== 
7) References

AhnLab:
http://info.ahnlab.com/english/advisory/01.html

====================================================================== 
8) About Secunia 

Secunia collects, validates, assesses, and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia website: 

http://secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 

http://secunia.com/secunia_security_advisories/

====================================================================== 
9) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-17/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC