AhnLab AntiVirus Remote Kernel Memory Corruption Nov 16 2007 03:12PM
Sowhat (smaillist gmail com)
AhnLab AntiVirus Remote Kernel Memory Corruption

Sowhat of Nevis Labs

AhnLab Inc.


AhnLab Antivirus V3 Internet Security 2008
The other version maybe vulnerable too.

This vulnerability has been confirmed on AhnLab V3 Internet Security
2008 Platinum.

Vendor Response:

2007.11.10 Vendor notified via asec (at) ahnlab (dot) com [email concealed]
2007.11.13 Vendor replied: "Before we received your e-mail, we fixed
the vulnerability on the 9th of November"
2007.11.16 Release this advisory


There is a vulnerability in AhnLab Antivirus, which allows an attacker
to cause a BSOD(Blue Screen Of Death), or, potentially arbitrary code execution.

This vulnerability can be exploited By persuading a user to a website.

While parsing the .ZIP file, AhnLab Antivirus Library does not
properly check the value of
certain field, thus result into a remote Kernel memory corruption.

The ZIP file format:

Local file header:
Offset Length Contents
0 4 bytes Local file header signature (0x04034b50)
4 2 bytes Version needed to extract
6 2 bytes General purpose bit flag
8 2 bytes Compression method
10 2 bytes Last mod file time
12 2 bytes Last mod file date
14 4 bytes CRC-32
18 4 bytes Compressed size (n)
22 4 bytes Uncompressed size
26 2 bytes Filename length (f)
28 2 bytes Extra field length (e)
(f)bytes Filename
(e)bytes Extra field
(n)bytes Compressed data

the offset at 26(0x1a) is the "Filename length".

AhnLab AV will copy the file name and then add a NULL byte at the end
the filename.
However, the NULL bytes will be stored according the WORD value read
from the offset 0x1a.

kd> r
eax=0000dddd ebx=8162f340 ecx=e1dade60 edx=e1dac060 esi=815a54f8 edi=e1dac054
eip=f72df075 esp=f8063834 ebp=f8063848 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
f72df075 c6040100 mov byte ptr [ecx+eax],0

The AX is directly read from the zip file and it is controlled by the attacker.

This results into a Limited arbitrary memory address NULL bytes overwritten.
By storing a null byte to an arbitrary memory location, it might be able to
produce exploitation conditions.

The vulnerability can be exploited remotely, by sending Email or
convince the victim
visit attacker controlled website. If the AhnLab users Real Time
Protection is enabled (This
is the default setting), there will be a KERNEL memory corruption.
which will result into
a BSOD or kernel code execution.

"Life is like a bug, Do you know how to exploit it ?"

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus