[35318] in bugtraq
RE: Multiple Antivirus Scanners DoS attack.
daemon@ATHENA.MIT.EDU (Brian Christmas)
Wed Jun 16 17:49:41 2004
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Wed, 16 Jun 2004 06:02:12 -0400
Message-ID: <D8E31F31E72A1A46BDAE6D3FEDCD822DDCE9@dcroot.forwardtechnology.net>
From: "Brian Christmas" <bchristmas@forwardtechnology.net>
To: <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
Hello,
Just tried this using PC-Cillin version 11.31 with def file of 1.905.00.
With default settings real-time scan did not detect a virus in the zip
file. Doing a manual scan hosed the PC. Tried to kill pc-cillin
process but was unable to.
Next I tested by maxing out the scan layer for both manual and real-time
settings. Real-time detected the EICAR virus but was unable to
quarantine or delete the file. As for the manual scan it again hosed my
PC where the only thing I could do was a hard reboot.
Will test this on Trend Micro's Client/Server/Messaging next.
> -----Original Message-----
> From: bipin gautam [mailto:visitbipin@hotmail.com]
> Sent: Monday, June 14, 2004 4:39 PM
> To: cert@cert.org; bugtraq@securityfocus.com
> Cc: wk@c4i.org; vulndiscuss@vulnwatch.org;
> vulndiscuss-owner@vulnwatch.org
> Subject: Multiple Antivirus Scanners DoS attack.
>
> Multiple Antivirus Scanners DoS attack.
>
> --- [Vulnerable Products] ---
> Only tested on...
>
> * Norton Antivirus 2002
> * Norton Antivirus 2003
> * Mcafee VirusScan 6
> * Network Associates (McAfee) VirusScan Enterprise 7.1
> * Windows Xp default ZIP manager [report's wrong size of
> compress ZIP files.]
>
> There has been multiple reports [Unconfirmed] *F-Prot 4.4.2
> for Linux *Panda Antivirus
>
> Are vulnerable.
>
>
> Risk Impact: Medium
>
> --- [Details] ---
>
> While having a manual scan of compressed files; several
> Antivirus, Trojan, Spy ware scanners suffer a DoS attack if
> the software tries to completely extract the archive and scan
> its content for a hostile file.
>
> --- [Proof of Concept] ---
> Please download this file.
> http://www.geocities.com/visitbipin/SERVER_dwn.zip
>
> Moreover it's not safe to set automatically
> 'Quarantine/delete' option set for your AV scanner as it may
> try to Quarantine the virus by extracting the archive.
>
> -----------
> Bipin Gautam
> http://www.geocities.com/visitbipin/
>
> Disclaimer: The information in the advisory is believed to be
> accurate at the time of printing based on currently available
> information. Use of the information constitutes acceptance
> for use in an AS IS condition. There are no warranties with
> regard to this information. Neither the author nor the
> publisher accepts any liability for any direct, indirect or
> consequential loss or damage arising from use of, or reliance
> on this information.
>
> _________________________________________________________________
> It's fast, it's easy and it's free. Get MSN Messenger today!
> http://www.msn.co.uk/messenger
>
>
