RE: Norton AntiVirus Denial Of Service Vulnerability [Part: !!!]

["DaiTengu" <daitengu () war-ensemble com>]

Bipin Gautam wrote:
> Norton AntiVirus Denial Of Service Vulnerability [Part: !!!]
>
> *vulnerable [...only tested on!]
>
> Symantec Norton AntiVirus 2003 Professional Edition Symantec Norton
> AntiVirus 2002 
>
> *not vulnerable
> Mcafee 7*
> Mcafee 8*
>
> Risk Impact: Medium
> Remote: yes
>
> Description:
> While having a virus scan [automatic/manual] of some specially
> crafted compressed files; NAV triggers a DoS using 100% CPU for a
> very long time. Morover, NAV is unable to stop the scan in middle,
> even if the user wishes to manually stop the virus scan. Then, in
> this situation the only alternate is to kill the process. --- [Proof
> of Concept] ---    
> Please download this file.
>
>  http://www.geocities.com/visitbipin/av_bomb_3.zip         <---  For
> symantec. 
>
>  http://www.geocities.com/visitbipin/EXTRACTit1st.zip      <--- A
> bzip2 file, test it on other AV products, too. 
>
> The file contains, 'EICAR Test String' burried in 49647 directories.
> This is just a RAW 'proof of concept'. A few 100kb's of compressed
> file could be crafted in a way... NAV will take hours or MIGHT even
> days to complete the scan causing 100% cup use in email gateways for
> hours. The compressed archive must not necessarily be a '.zip' to
> trigger this attack.     


Tested on Symantec Corporate 9.0 (338). Scaned the file in just under 10
seconds with no noticable CPU usage.

OS: Windows XP (SP2 RC2)