AhnLab AntiVirus Remote Kernel Memory Corruption Sowhat of Nevis Labs HTTP://www.nevisnetworks.com http://secway.org/advisory/AD20071116.txt Vendor: AhnLab Inc. Affected: AhnLab Antivirus V3 Internet Security 2008 The other version maybe vulnerable too. This vulnerability has been confirmed on AhnLab V3 Internet Security 2008 Platinum. Vendor Response: 2007.11.10 Vendor notified via asec@ahnlab.com 2007.11.13 Vendor replied: "Before we received your e-mail, we fixed the vulnerability on the 9th of November" 2007.11.16 Release this advisory Details: There is a vulnerability in AhnLab Antivirus, which allows an attacker to cause a BSOD(Blue Screen Of Death), or, potentially arbitrary code execution. This vulnerability can be exploited By persuading a user to a website. While parsing the .ZIP file, AhnLab Antivirus Library does not properly check the value of certain field, thus result into a remote Kernel memory corruption. The ZIP file format: Local file header: Offset Length Contents 0 4 bytes Local file header signature (0x04034b50) 4 2 bytes Version needed to extract 6 2 bytes General purpose bit flag 8 2 bytes Compression method 10 2 bytes Last mod file time 12 2 bytes Last mod file date 14 4 bytes CRC-32 18 4 bytes Compressed size (n) 22 4 bytes Uncompressed size 26 2 bytes Filename length (f) 28 2 bytes Extra field length (e) (f)bytes Filename (e)bytes Extra field (n)bytes Compressed data the offset at 26(0x1a) is the "Filename length". AhnLab AV will copy the file name and then add a NULL byte at the end the filename. However, the NULL bytes will be stored according the WORD value read from the offset 0x1a. kd> r eax=0000dddd ebx=8162f340 ecx=e1dade60 edx=e1dac060 esi=815a54f8 edi=e1dac054 eip=f72df075 esp=f8063834 ebp=f8063848 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 v3engine+0xb4075: f72df075 c6040100 mov byte ptr [ecx+eax],0 The AX is directly read from the zip file and it is controlled by the attacker. This results into a Limited arbitrary memory address NULL bytes overwritten. By storing a null byte to an arbitrary memory location, it might be able to produce exploitation conditions. The vulnerability can be exploited remotely, by sending Email or convince the victim visit attacker controlled website. If the AhnLab users Real Time Protection is enabled (This is the default setting), there will be a KERNEL memory corruption. which will result into a BSOD or kernel code execution. -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?"