AhnLab AntiVirus Remote Kernel Memory Corruption


Sowhat of Nevis Labs
HTTP://www.nevisnetworks.com
http://secway.org/advisory/AD20071116.txt


Vendor:
AhnLab Inc.


Affected:

AhnLab Antivirus V3 Internet Security 2008
The other version maybe vulnerable too.

This vulnerability has been confirmed on AhnLab V3 Internet Security
2008 Platinum.

Vendor Response:

2007.11.10  Vendor notified via asec@ahnlab.com
2007.11.13  Vendor replied: "Before we received your e-mail, we fixed
the vulnerability on the 9th of November"
2007.11.16  Release this advisory



Details:

There is a vulnerability in AhnLab Antivirus, which allows an attacker
to cause a BSOD(Blue Screen Of Death), or, potentially arbitrary code execution.

This vulnerability can be exploited By persuading a user to a website.

While parsing the .ZIP file, AhnLab Antivirus Library does not
properly check the value of
certain field, thus result into a remote Kernel memory corruption.


The ZIP file format:

Local file header:
Offset   Length   Contents
  0      4 bytes  Local file header signature (0x04034b50)
  4      2 bytes  Version needed to extract
  6      2 bytes  General purpose bit flag
  8      2 bytes  Compression method
 10      2 bytes  Last mod file time
 12      2 bytes  Last mod file date
 14      4 bytes  CRC-32
 18      4 bytes  Compressed size (n)
 22      4 bytes  Uncompressed size
 26      2 bytes  Filename length (f)
 28      2 bytes  Extra field length (e)
        (f)bytes  Filename
        (e)bytes  Extra field
        (n)bytes  Compressed data

the offset at 26(0x1a) is the "Filename length".

AhnLab AV will copy the file name and then add a NULL byte at the end
the filename.
However, the NULL bytes will be stored according the WORD value read
from the offset 0x1a.

kd> r
eax=0000dddd ebx=8162f340 ecx=e1dade60 edx=e1dac060 esi=815a54f8 edi=e1dac054
eip=f72df075 esp=f8063834 ebp=f8063848 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
v3engine+0xb4075:
f72df075 c6040100        mov     byte ptr [ecx+eax],0

The AX is directly read from the zip file and it is controlled by the attacker.

This results into a Limited arbitrary memory address NULL bytes overwritten.
By storing a null byte to an arbitrary memory location, it might be able to
produce exploitation conditions.

The vulnerability can be exploited remotely, by sending Email or
convince the victim
visit attacker controlled website. If the AhnLab users Real Time
Protection is enabled (This
is the default setting), there will be a KERNEL memory corruption.
which will result into
a BSOD or kernel code execution.




-- 
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"