lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d65cd4390711160712t1c6a1e92s46841eaa5158367a@mail.gmail.com>
Date: Fri, 16 Nov 2007 23:12:29 +0800
From: Sowhat <smaillist@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: AhnLab AntiVirus Remote Kernel Memory Corruption

AhnLab AntiVirus Remote Kernel Memory Corruption


Sowhat of Nevis Labs
HTTP://www.nevisnetworks.com
http://secway.org/advisory/AD20071116.txt


Vendor:
AhnLab Inc.


Affected:

AhnLab Antivirus V3 Internet Security 2008
The other version maybe vulnerable too.

This vulnerability has been confirmed on AhnLab V3 Internet Security
2008 Platinum.

Vendor Response:

2007.11.10	Vendor notified via asec@...lab.com
2007.11.13	Vendor replied: "Before we received your e-mail, we fixed
the vulnerability on the 9th of November"
2007.11.16  Release this advisory



Details:

There is a vulnerability in AhnLab Antivirus, which allows an attacker
to cause a BSOD(Blue Screen Of Death), or, potentially arbitrary code execution.

This vulnerability can be exploited By persuading a user to a website.

While parsing the .ZIP file, AhnLab Antivirus Library does not
properly check the value of
certain field, thus result into a remote Kernel memory corruption.


The ZIP file format:

Local file header:
Offset   Length   Contents
  0      4 bytes  Local file header signature (0x04034b50)
  4      2 bytes  Version needed to extract
  6      2 bytes  General purpose bit flag
  8      2 bytes  Compression method
 10      2 bytes  Last mod file time
 12      2 bytes  Last mod file date
 14      4 bytes  CRC-32
 18      4 bytes  Compressed size (n)
 22      4 bytes  Uncompressed size
 26      2 bytes  Filename length (f)
 28      2 bytes  Extra field length (e)
        (f)bytes  Filename
        (e)bytes  Extra field
        (n)bytes  Compressed data

the offset at 26(0x1a) is the "Filename length".

AhnLab AV will copy the file name and then add a NULL byte at the end
the filename.
However, the NULL bytes will be stored according the WORD value read
from the offset 0x1a.

kd> r
eax=0000dddd ebx=8162f340 ecx=e1dade60 edx=e1dac060 esi=815a54f8 edi=e1dac054
eip=f72df075 esp=f8063834 ebp=f8063848 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
v3engine+0xb4075:
f72df075 c6040100        mov     byte ptr [ecx+eax],0

The AX is directly read from the zip file and it is controlled by the attacker.

This results into a Limited arbitrary memory address NULL bytes overwritten.
By storing a null byte to an arbitrary memory location, it might be able to
produce exploitation conditions.

The vulnerability can be exploited remotely, by sending Email or
convince the victim
visit attacker controlled website. If the AhnLab users Real Time
Protection is enabled (This
is the default setting), there will be a KERNEL memory corruption.
which will result into
a BSOD or kernel code execution.




-- 
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ