Secunia Research: Ahnlab V3 Antivirus Multiple Vulnerabilities

To: full-disclsoure@xxxxxxxxxxxxxxxxx
Subject: Secunia Research: Ahnlab V3 Antivirus Multiple Vulnerabilities
From: Secunia Research <vuln@xxxxxxxxxxx>
Date: Thu, 15 Sep 2005 14:22:48 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

====================================================================== 

                     Secunia Research 15/09/2005

          - Ahnlab V3 Antivirus Multiple Vulnerabilities -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

====================================================================== 
1) Affected Software 

AhnLab V3Pro 2004 (Build 6.0.0.383)
AhnLab V3 VirusBlock 2005 (Build 6.0.0.383)
AhnLab V3Net for Windows Server 6.0 (Build 6.0.0.383)

Prior versions may also be affected.

====================================================================== 
2) Severity 

Rating: Highly critical
Impact: System access
        Privilege escalation
        Security bypass
Where:  Remote

====================================================================== 
3) Description of Vulnerability

Secunia research has discovered some vulnerabilities in AhnLab V3
Antivirus, which can be exploited by malicious, local users
to gain escalated privileges, or by malicious people to compromise a 
vulnerable system.

1) The real-time scan driver, v3flt2k.sys, does not validate the
source of received "DeviceIoControl()" commands. This can be
exploited by non-administrative users to run explorer.exe with
SYSTEM privileges, or to disable the real-time scan engine, via 
specially crafted DeviceIoControl requests. 

2) A boundary error in the ACE archive decompression library can be
exploited to cause a stack-based buffer overflow when a malicious
ACE archive containing a compressed file with an overly long 
filename is scanned.

Successful exploitation allows execution of arbitrary code, but
requires that compressed file scanning is enabled.

3) A directory traversal error in the archive decompression library
can be exploited to write files to arbitrary directories when a
malicious archive containing compressed files with directory
traversal sequences in their filenames is scanned.

Vulnerability #2 and #3 are related to:
SA14359

====================================================================== 
4) Solution 

Update to version 6.0.0.457 via online update.

====================================================================== 
5) Time Table 

15/06/2005 - Initial vendor notification.
16/06/2005 - Initial vendor response.
12/08/2005 - Received patch for testing.
15/08/2005 - Notified vendor of vulnerabilities in ACE archive
             handling.
31/08/2005 - Received patch for testing.
15/09/2005 - Public disclosure.

====================================================================== 
6) Credits 

Discovered by Tan Chew Keong, Secunia Research.

====================================================================== 
7) References

AhnLab:
http://info.ahnlab.com/english/advisory/01.html

====================================================================== 
8) About Secunia 

Secunia collects, validates, assesses, and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia website: 

http://secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 

http://secunia.com/secunia_security_advisories/

====================================================================== 
9) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-17/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

Prev by Date: [SECURITY] [DSA 814-1] New lm-sensors packages fix insecure temporary file
Next by Date: Digital Scribe v1.4 Login Bypass / SQL injection / remote code execution
Previous by thread: [SECURITY] [DSA 814-1] New lm-sensors packages fix insecure temporary file
Next by thread: Digital Scribe v1.4 Login Bypass / SQL injection / remote code execution
Index(es):
- Date
- Thread