RE: Norton AntiVirus Remote Denial Of Service Vulnerability [Part: !!!_update]

["V. Poddubnyy" <vpoddubniy () mail ru>]

Hi!

Kaspersky AV Personal 5.0.142 looks like not vulnerable.

In default configuration (Maximum protection) it found EICAR-Test-File but
said that this type of archives cannot be repaired. (For both files.)

--
Best regards,
 Vladimir Poddubnyy

> -----Original Message-----
> From: Bipin Gautam [mailto:visitbipin () hotmail com] 
> Sent: Friday, July 09, 2004 4:31 PM
> To: vuln-dev () securityfocus com
> Subject: Norton AntiVirus Remote Denial Of Service 
> Vulnerability [Part: !!!_update]
>
>
>
> Norton AntiVirus Remote Denial Of Service Vulnerability 
> [Part: !!!_update]
>
> *vulnerable [...only tested on!]
>
> Symantec Norton AntiVirus 2003 Professional Edition Symantec 
> Norton AntiVirus 2002
>
> *not vulnerable
> Mcafee 7*
> Mcafee 8*
>
> Risk Impact: Medium
> Remote: yes
>
> Description:
> While having a virus scan [automatic/manual] of some 
> specially crafted compressed files; NAV triggers a DoS using 
> 100% CPU for a very long time. Morover, NAV is unable to stop 
> the scan in middle, even if the user wishes to manually stop 
> the virus scan. Then, in this situation the only alternate is 
> to kill the process. The problem doesn't lie within the NAV 
> virus scan engine; instead the problem lies within NAV file 
> repair engine!
> Well, within few seconds... after the AV scan have started 
> norton quickly scan's the infected file and smartly* skips 
> the empty folder within the zip archive! But after norton 
> detects virus in the archive it tries to delete the virus 
> within the archive, and re-create the un-infected/fresh 
> archive........ again!
> The problem triggers when NAV tries to re-create the 50000 
> empty folders and construct the archive. *ANY* av scanners 
> that autometically tries to delete the infected file and 
> re-create the archive should be vulnerable to this exploit!!!
> Note: mark the fact... in the "AutoProtect Menu" of the 
> option tab in Norton AV the option........
> *autometically repair the infected file <--- is set by default!
> you could temporarily be immune by this bug by setting the 
> option, *deny access to the infected file. 
> Did i just saved your MAIL SERVER???   (O; 
> The compressed archive mustn't necessarily be a zip archive 
> to trigger this attack. You could experiment this with other 
> archive types......
> --- [Proof of Concept] ---
> Please download this file.
>
>  http://www.geocities.com/visitbipin/av_bomb_3.zip         
> <---  For symantec.
>
>  http://www.geocities.com/visitbipin/EXTRACTit1st.zip      
> <--- A bzip2 file, test it on other AV products, too.
>
> The file contains, 'EICAR Test String' burried in 49647 
> directories. This is just a RAW 'proof of concept'. A few 
> 100kb's of compressed file could be crafted in a way... NAV 
> will take hours or MIGHT even days to complete the scan 
> causing 100% cup use in email gateways for hours. The 
> compressed archive must not necessarily be a '.zip' to 
> trigger this attack.
>  PLEASE: ...test this issue with other AV / trojan scanners 
> as they might also be vulnerable. 
>
> -----------
> Bipin Gautam
> http://www.geocities.com/visitbipin/
>
> Disclaimer: The information in the advisory is believed to be 
> accurate at the time of printing based on currently available 
> information. Use of the information constitutes acceptance 
> for use in an AS IS condition. There are no warranties with 
> regard to this information. Neither the author nor the 
> publisher accepts any liability for any direct, indirect or 
> consequential loss or damage arising from use of, or reliance 
> on this information.