lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <200407101810.i6AIAJ9X016829@ms-smtp-02.rdc-kc.rr.com>
Date: Sat, 10 Jul 2004 13:10:24 -0500
From: "DaiTengu" <daitengu@...-ensemble.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Norton AntiVirus Denial Of Service Vulnerability [Part: !!!]


Bipin Gautam wrote:
> Norton AntiVirus Denial Of Service Vulnerability [Part: !!!]
> 
> *vulnerable [...only tested on!]
> 
> Symantec Norton AntiVirus 2003 Professional Edition Symantec Norton
> AntiVirus 2002 
> 
> *not vulnerable
> Mcafee 7*
> Mcafee 8*
> 
> Risk Impact: Medium
> Remote: yes
> 
> Description:
> While having a virus scan [automatic/manual] of some specially
> crafted compressed files; NAV triggers a DoS using 100% CPU for a
> very long time. Morover, NAV is unable to stop the scan in middle,
> even if the user wishes to manually stop the virus scan. Then, in
> this situation the only alternate is to kill the process. --- [Proof
> of Concept] ---    
> Please download this file.
> 
>  http://www.geocities.com/visitbipin/av_bomb_3.zip         <---  For
> symantec. 
> 
>  http://www.geocities.com/visitbipin/EXTRACTit1st.zip      <--- A
> bzip2 file, test it on other AV products, too. 
> 
> The file contains, 'EICAR Test String' burried in 49647 directories.
> This is just a RAW 'proof of concept'. A few 100kb's of compressed
> file could be crafted in a way... NAV will take hours or MIGHT even
> days to complete the scan causing 100% cup use in email gateways for
> hours. The compressed archive must not necessarily be a '.zip' to
> trigger this attack.     
>


Tested on Symantec Corporate 9.0 (338). Scaned the file in just under 10
seconds with no noticable CPU usage.

OS: Windows XP (SP2 RC2)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ