OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Thu Jun 21 2001 - 03:48:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello ,

    Topic: Format string vulnerability in KAV* for sendmail
    Author: 3APA3A <3APA3Asecurity.nnov.ru>
    Affected Software: KAV for sendmail 3.5.135.2
    Vendor: Kaspersky Lab
    Vendor Notified: 30 May 2001
    Risk: Average/High depending on configuration
    Remotely Exploitable: Yes
    Impact: DoS/Remote code execution
    Released: 06 June 2001
    Vendor URL: http://www.kaspersky.com
    SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

     *KAV = "Kaspersky AntiVirus" formerly known as AVP.

    Background:

    KAV for sendmail is antiviral product of Kaspersky Lab's KAV suit
    (formerly known as AVP) one of very few commercially available
    multiplatform antiviral products for servers, workstations, CVP
    Firewalls and messaging systems (Exchange, Lotus, Sendmail, QMail,
    Postfix) under DOS, Windows 95/98/ME/NT/2000, OS/2, Linux, FreeBSD,
    BSDI and soon for Solaris (feel free to contact supportkaspersky.com
    if you need it for different platform).

    Problem:

    While testing this software by permission of Kaspersky Lab, format
    string bug was found in syslog() call in avpkeeper

     /usr/local/share/AVP/avpkeeper/avpkeeper

    utility, which is launched from sendmail to scan and desinfect messages.

    Impact:

    Intruders can cause Denial of Service and potentially can execute code
    remotely with root or group mail privileges, depending on sendmail
    installation (code execution is not trivial, if possible, because
    format string must conform RFC 821/2821 e-mail address requirements to
    bypass sendmail).

    Vendor:

    Kaspersky Lab was contacted on May, 30. Patched version was delivered
    in 24 hours, but no alerts were sent to users and no fixes were made
    available for public download. Vendor was also informed on few
    potential local race conditions with mktemp()/mkdtemp().

    Workaround:

    Diasable syslog. In avpkeeper.ini set
     usesyslog=no

    Solution:

    Since AVP for Unix products are not open source and are not available
    for free download please contact supportkaspersky.com to get patches
    for registered version of KAV/AVP or to get demo version for testing.

    This advisory is being provided to you under the policy documented at
    http://www.wiretrip.net/rfp/policy.html.

    -- 
    http://www.security.nnov.ru
             /\_/\
            { . . }     |\
    +--oQQo->{ ^ }<-----+ \
    |  3APA3A  U  3APA3A   }
    +-------------o66o--+ /
                        |/
    You know my name - look up my number (The Beatles)