Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Norton AntiVirus Scanner Remote Denial Of ServiceVulnerability [Part: !!!]
From: bipin gautam <visitbipin () yahoo com>
Date: Thu, 8 Jul 2004 23:04:26 -0700 (PDT)

there was a mistake while uploading the file, Now the
link is fixed!!!


well, while scannng this archive NAV consumes 56MB of
memory..... crafting a bigger archive may consume more
memory!!!

ps: the archive is not password protected, under
certain condition some unzip utility... thinks a
archive is password protected even while the archive
isn't.  
------------
bipin gautam


--- "Peter B. Harvey (Information Security)"
<peterharvey () emergency qld gov au> wrote:

Could you please password protect it and email it to
me. Ill test on Trend Micro.

Peter

-----Original Message-----
From: bipin gautam [mailto:visitbipin () yahoo com]
Sent: Friday, July 09, 2004 10:40 AM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Norton AntiVirus Scanner
Remote Denial Of
ServiceVulnerability [Part: !!!]


Anti-Virus Scanner Remote Denial Of Service
Vulnerability [Part: !!!]

*vulnerable [...only tested on!]

Symantec Norton AntiVirus 2003 Professional Edition
Symantec Norton AntiVirus 2002

*not vulnerable
Mcafee 7*
Mcafee 8*

Risk Impact: Medium
Remote: yes

Description:
While having a virus scan [automatic/manual] of some
specially crafted compressed files; NAV triggers a
DoS
using 100% CPU for a very long time. Morover, NAV is
unable to stop the scan in middle, even if the user
wishes to manually stop the virus scan. Then, in
this
situation the only alternate is to kill the process.
--- [Proof of Concept] ---
Please download this file.

 http://www.geocities.com/visitbipin/av_bomb_3.zip  

    <---  For symantec.


http://www.geocities.com/visitbipin/EXTRACTit1st.zip
    <--- A bzip2 file, test it on other AV products,
too.

The file contains, 'EICAR Test String' burried in
49647 directories. This is just a RAW 'proof of
concept'. A few 100kb's of compressed file could be
crafted in a way... NAV will take hours or MIGHT
even
days to complete the scan causing 100% cup use in
email gateways for hours. The compressed archive
must
not necessarily be a '.zip' to trigger this attack.

I've decided not to contact SYMANTEC in any of my
advisories since their "security responce team" is
too
slow to responce any reported incidence.  PLEASE:
...test this issue with other AV / trojan scanners
as
they might also be vulnerable.

-----------
Bipin Gautam
http://www.geocities.com/visitbipin/

Disclaimer: The information in the advisory is
believed to be accurate at the time of printing
based
on currently available information. Use of the
information constitutes acceptance for use in an AS
IS
condition. There are no warranties with regard to
this
information. Neither the author nor the publisher
accepts any liability for any direct, indirect or
consequential loss or damage arising from use of, or
reliance on this information.


      
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.netsys.com/full-disclosure-charter.html

This correspondence is for the named persons only.
It may contain confidential or privileged
information or both.
No confidentiality or privilege is waived or lost by
any mis transmission.
If you receive this correspondence in error please
delete it from your system immediately and notify
the sender.
You must not disclose, copy or relay on any part of
this correspondence, if you are not the intended
recipient.
Any opinions expressed in this message are those of
the individual sender except where the sender
expressly,
and with the authority, states them to be the
opinions of the Department of Emergency Services,
Queensland.




                
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]