|
AhnLab V3 Antivirus Archive Handling Buffer Overflow (ALZ/UUE/XXE) |
|
|
|
|
Tuesday, 18 October 2005 |
Summary
AhnLab V3 is "a full-featured security solution that provides complete protection to your computer against different types of malicious codes such as viruses, Internet worms, and Trojan horses".
Due to lack of proper bounds check in AhnLab V3, an attacker can exploit ALZ, UUE or XXE archives to run arbitrary code on a vulnerable machine.
Credit:
The original article can be found at: http://secunia.com/advisories/16851/
Details
Vulnerable Systems:
* AhnLab V3Pro 2004 (V3 VirusBlock 2005 international) (Build 6.0.0.457)
* AhnLab V3Net for Windows Server 6.0 (Build 6.0.0.457)
* AhnLab MyV3 with AzMain.dll version 1.3.11.15
Secunia Research has discovered a vulnerability in AhnLab V3 Antivirus, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error in the archive decompression library when reading the filename of a compressed file from an ALZ, UUE or XXE archive. This can be exploited to cause a stack-based buffer overflow (ALZ), or a heap-based buffer overflow (UUE/XXE), when a malicious ALZ/UUE/XXE archive is scanned.
Successful exploitation allows arbitrary code execution, but requires that compressed file scanning is enabled.
Solution:
AhnLab V3Pro 2004 (V3 VirusBlock 2005 international): Update to version 6.0.0.488 via Smart Update.
AhnLab V3Net for Windows Server 6.0: Update to version 6.0.0.488 via Smart Update.
AhnLab MyV3: The vulnerability has reportedly been fixed in the vendors Korean MyV3 website.
Disclosure Timeline:
19/09/2005 - Initial vendor notification.
20/09/2005 - Initial vendor response.
13/10/2005 - Vendor releases advisory.
13/10/2005 - Public disclosure.
Vendor Status:
The vendor has issued an advisory, which can be found at: http://global.ahnlab.com/security/security_advisory002.html |