====================================================================== Secunia Research 15/09/2005 - Ahnlab V3 Antivirus Multiple Vulnerabilities - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software AhnLab V3Pro 2004 (Build 6.0.0.383) AhnLab V3 VirusBlock 2005 (Build 6.0.0.383) AhnLab V3Net for Windows Server 6.0 (Build 6.0.0.383) Prior versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System access Privilege escalation Security bypass Where: Remote ====================================================================== 3) Description of Vulnerability Secunia research has discovered some vulnerabilities in AhnLab V3 Antivirus, which can be exploited by malicious, local users to gain escalated privileges, or by malicious people to compromise a vulnerable system. 1) The real-time scan driver, v3flt2k.sys, does not validate the source of received "DeviceIoControl()" commands. This can be exploited by non-administrative users to run explorer.exe with SYSTEM privileges, or to disable the real-time scan engine, via specially crafted DeviceIoControl requests. 2) A boundary error in the ACE archive decompression library can be exploited to cause a stack-based buffer overflow when a malicious ACE archive containing a compressed file with an overly long filename is scanned. Successful exploitation allows execution of arbitrary code, but requires that compressed file scanning is enabled. 3) A directory traversal error in the archive decompression library can be exploited to write files to arbitrary directories when a malicious archive containing compressed files with directory traversal sequences in their filenames is scanned. Vulnerability #2 and #3 are related to: SA14359 ====================================================================== 4) Solution Update to version 6.0.0.457 via online update. ====================================================================== 5) Time Table 15/06/2005 - Initial vendor notification. 16/06/2005 - Initial vendor response. 12/08/2005 - Received patch for testing. 15/08/2005 - Notified vendor of vulnerabilities in ACE archive handling. 31/08/2005 - Received patch for testing. 15/09/2005 - Public disclosure. ====================================================================== 6) Credits Discovered by Tan Chew Keong, Secunia Research. ====================================================================== 7) References AhnLab: http://info.ahnlab.com/english/advisory/01.html ====================================================================== 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-17/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================