======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9
======================================================================
3) Description of Vulnerability
Secunia research has discovered some vulnerabilities in AhnLab V3
Antivirus, which can be exploited by malicious, local users
to gain escalated privileges, or by malicious people to compromise a
vulnerable system.
1) The real-time scan driver, v3flt2k.sys, does not validate the
source of received "DeviceIoControl()" commands. This can be
exploited by non-administrative users to run explorer.exe with
SYSTEM privileges, or to disable the real-time scan engine, via
specially crafted DeviceIoControl requests.
2) A boundary error in the ACE archive decompression library can be
exploited to cause a stack-based buffer overflow when a malicious
ACE archive containing a compressed file with an overly long
filename is scanned.
Successful exploitation allows execution of arbitrary code, but
requires that compressed file scanning is enabled.
3) A directory traversal error in the archive decompression library
can be exploited to write files to arbitrary directories when a
malicious archive containing compressed files with directory
traversal sequences in their filenames is scanned.
======================================================================
5) Time Table
15/06/2005 - Initial vendor notification.
16/06/2005 - Initial vendor response.
12/08/2005 - Received patch for testing.
15/08/2005 - Notified vendor of vulnerabilities in ACE archive
handling.
31/08/2005 - Received patch for testing.
15/09/2005 - Public disclosure.
======================================================================
8) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:
http://secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
Secunia Research 15/09/2005
- Ahnlab V3 Antivirus Multiple Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9
======================================================================
1) Affected Software
AhnLab V3Pro 2004 (Build 6.0.0.383)
AhnLab V3 VirusBlock 2005 (Build 6.0.0.383)
AhnLab V3Net for Windows Server 6.0 (Build 6.0.0.383)
Prior versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Privilege escalation
Security bypass
Where: Remote
======================================================================
3) Description of Vulnerability
Secunia research has discovered some vulnerabilities in AhnLab V3
Antivirus, which can be exploited by malicious, local users
to gain escalated privileges, or by malicious people to compromise a
vulnerable system.
1) The real-time scan driver, v3flt2k.sys, does not validate the
source of received "DeviceIoControl()" commands. This can be
exploited by non-administrative users to run explorer.exe with
SYSTEM privileges, or to disable the real-time scan engine, via
specially crafted DeviceIoControl requests.
2) A boundary error in the ACE archive decompression library can be
exploited to cause a stack-based buffer overflow when a malicious
ACE archive containing a compressed file with an overly long
filename is scanned.
Successful exploitation allows execution of arbitrary code, but
requires that compressed file scanning is enabled.
3) A directory traversal error in the archive decompression library
can be exploited to write files to arbitrary directories when a
malicious archive containing compressed files with directory
traversal sequences in their filenames is scanned.
Vulnerability #2 and #3 are related to:
SA14359
======================================================================
4) Solution
Update to version 6.0.0.457 via online update.
======================================================================
5) Time Table
15/06/2005 - Initial vendor notification.
16/06/2005 - Initial vendor response.
12/08/2005 - Received patch for testing.
15/08/2005 - Notified vendor of vulnerabilities in ACE archive
handling.
31/08/2005 - Received patch for testing.
15/09/2005 - Public disclosure.
======================================================================
6) Credits
Discovered by Tan Chew Keong, Secunia Research.
======================================================================
7) References
AhnLab:
http://info.ahnlab.com/english/advisory/01.html
======================================================================
8) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:
http://secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-17/advisory/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
[ reply ]