SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   AhnLab V3 Vendors:   AhnLab, Inc.
AhnLab V3 Internet Security ZIP File Memory Error May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1018977
SecurityTracker URL:  http://securitytracker.com/id/1018977
CVE Reference:   CVE-2007-6060   (Links to External Site)
Updated:  Feb 17 2008
Original Entry Date:  Nov 16 2007
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): AhnLab V3 Internet Security 2008 Platinum
Description:   A vulnerability was reported in AhnLab V3 Internet Security. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted ZIP file that, when loaded by the target user, will trigger a memory corruption error and potentially execute arbitrary code on the target system. The code will run with the privileges of the target user.

The original advisory is available at:

http://secway.org/advisory/AD20071116.txt

Sowhat of Nevis Labs reported this vulnerability.

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued a fixed version.
Vendor URL:  global.ahnlab.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] AhnLab AntiVirus Remote Kernel Memory Corruption

AhnLab AntiVirus Remote Kernel Memory Corruption


Sowhat of Nevis Labs
HTTP://www.nevisnetworks.com
http://secway.org/advisory/AD20071116.txt


Vendor:
AhnLab Inc.


Affected:

AhnLab Antivirus V3 Internet Security 2008
The other version maybe vulnerable too.

This vulnerability has been confirmed on AhnLab V3 Internet Security
2008 Platinum.

Vendor Response:

2007.11.10	Vendor notified via asec@ahnlab.com
2007.11.13	Vendor replied: "Before we received your e-mail, we fixed
the vulnerability on the 9th of November"
2007.11.16  Release this advisory



Details:

There is a vulnerability in AhnLab Antivirus, which allows an attacker
to cause a BSOD(Blue Screen Of Death), or, potentially arbitrary code execution.

This vulnerability can be exploited By persuading a user to a website.

While parsing the .ZIP file, AhnLab Antivirus Library does not
properly check the value of
certain field, thus result into a remote Kernel memory corruption.


The ZIP file format:

Local file header:
Offset   Length   Contents
  0      4 bytes  Local file header signature (0x04034b50)
  4      2 bytes  Version needed to extract
  6      2 bytes  General purpose bit flag
  8      2 bytes  Compression method
 10      2 bytes  Last mod file time
 12      2 bytes  Last mod file date
 14      4 bytes  CRC-32
 18      4 bytes  Compressed size (n)
 22      4 bytes  Uncompressed size
 26      2 bytes  Filename length (f)
 28      2 bytes  Extra field length (e)
        (f)bytes  Filename
        (e)bytes  Extra field
        (n)bytes  Compressed data

the offset at 26(0x1a) is the "Filename length".

AhnLab AV will copy the file name and then add a NULL byte at the end
the filename.
However, the NULL bytes will be stored according the WORD value read
from the offset 0x1a.

kd> r
eax=0000dddd ebx=8162f340 ecx=e1dade60 edx=e1dac060 esi=815a54f8 edi=e1dac054
eip=f72df075 esp=f8063834 ebp=f8063848 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
v3engine+0xb4075:
f72df075 c6040100        mov     byte ptr [ecx+eax],0

The AX is directly read from the zip file and it is controlled by the attacker.

This results into a Limited arbitrary memory address NULL bytes overwritten.
By storing a null byte to an arbitrary memory location, it might be able to
produce exploitation conditions.

The vulnerability can be exploited remotely, by sending Email or
convince the victim
visit attacker controlled website. If the AhnLab users Real Time
Protection is enabled (This
is the default setting), there will be a KERNEL memory corruption.
which will result into
a BSOD or kernel code execution.




-- 
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC