OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[SA15674] Ahnlab V3 Antivirus Multiple Vulnerabilities

From: Secunia Security Advisories (sec-advsecunia.com)
Date: Thu Sep 15 2005 - 11:23:48 CDT


----------------------------------------------------------------------

Bist Du interessiert an einem neuen Job in IT-Sicherheit?

Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/

----------------------------------------------------------------------

TITLE:
Ahnlab V3 Antivirus Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA15674

VERIFY ADVISORY:
http://secunia.com/advisories/15674/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Privilege escalation, System access

WHERE:
From remote

SOFTWARE:
AhnLab V3 VirusBlock 2005
http://secunia.com/product/5701/
AhnLab V3Net for Windows Server 6.x
http://secunia.com/product/5700/
AhnLab V3Pro
http://secunia.com/product/5699/

DESCRIPTION:
Secunia research has discovered some vulnerabilities in AhnLab V3
Antivirus, which can be exploited by malicious, local users to gain
escalated privileges, or by malicious people to compromise a
vulnerable system.

1) The real-time scan driver, v3flt2k.sys, does not validate the
source of received "DeviceIoControl()" commands. This can be
exploited by non-administrative users to run explorer.exe with SYSTEM
privileges, or to disable the real-time scan engine, via specially
crafted DeviceIoControl requests,

2) A boundary error in the ACE archive decompression library can be
exploited to cause a stack-based buffer overflow when a malicious ACE
archive containing a compressed file with an overly long filename is
scanned.

Successful exploitation allows execution of arbitrary code, but
requires that compressed file scanning is enabled.

3) A directory traversal error in the archive decompression library
can be exploited to write files to arbitrary directories when a
malicious archive containing compressed files with directory
traversal sequences in their filenames is scanned.

Vulnerability #2 and #3 are related to:
SA14359

The vulnerabilities have been confirmed in the following products:
* AhnLab V3Pro 2004 (Build 6.0.0.383)
* AhnLab V3 VirusBlock 2005 (Build 6.0.0.383)
* AhnLab V3Net for Windows Server 6.0 (Build 6.0.0.383)

SOLUTION:
Update to version 6.0.0.457 via online update.

PROVIDED AND/OR DISCOVERED BY:
Tan Chew Keong, Secunia Research

ORIGINAL ADVISORY:
AhnLab:
http://info.ahnlab.com/english/advisory/01.html

Secunia Research:
http://secunia.com/secunia_research/2005-17/advisory/

OTHER REFERENCES:
SA14359:
http://secunia.com/advisories/14359/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------