Hi!
Kaspersky AV Personal 5.0.142 looks like not vulnerable.
In default configuration (Maximum protection) it found EICAR-Test-File but
said that this type of archives cannot be repaired. (For both files.)
--
Best regards,
Vladimir Poddubnyy
> -----Original Message-----
> From: Bipin Gautam [mailto:visitbipin_at_hotmail.com]
> Sent: Friday, July 09, 2004 4:31 PM
> To: vuln-dev_at_securityfocus.com
> Subject: Norton AntiVirus Remote Denial Of Service
> Vulnerability [Part: !!!_update]
>
>
>
> Norton AntiVirus Remote Denial Of Service Vulnerability
> [Part: !!!_update]
>
> *vulnerable [...only tested on!]
>
> Symantec Norton AntiVirus 2003 Professional Edition Symantec
> Norton AntiVirus 2002
>
> *not vulnerable
> Mcafee 7*
> Mcafee 8*
>
> Risk Impact: Medium
> Remote: yes
>
> Description:
> While having a virus scan [automatic/manual] of some
> specially crafted compressed files; NAV triggers a DoS using
> 100% CPU for a very long time. Morover, NAV is unable to stop
> the scan in middle, even if the user wishes to manually stop
> the virus scan. Then, in this situation the only alternate is
> to kill the process. The problem doesn't lie within the NAV
> virus scan engine; instead the problem lies within NAV file
> repair engine!
> Well, within few seconds... after the AV scan have started
> norton quickly scan's the infected file and smartly* skips
> the empty folder within the zip archive! But after norton
> detects virus in the archive it tries to delete the virus
> within the archive, and re-create the un-infected/fresh
> archive........ again!
> The problem triggers when NAV tries to re-create the 50000
> empty folders and construct the archive. *ANY* av scanners
> that autometically tries to delete the infected file and
> re-create the archive should be vulnerable to this exploit!!!
> Note: mark the fact... in the "AutoProtect Menu" of the
> option tab in Norton AV the option........
> *autometically repair the infected file <--- is set by default!
> you could temporarily be immune by this bug by setting the
> option, *deny access to the infected file.
> Did i just saved your MAIL SERVER??? (O;
> The compressed archive mustn't necessarily be a zip archive
> to trigger this attack. You could experiment this with other
> archive types......
> --- [Proof of Concept] ---
> Please download this file.
>
> http://www.geocities.com/visitbipin/av_bomb_3.zip
> <--- For symantec.
>
> http://www.geocities.com/visitbipin/EXTRACTit1st.zip
> <--- A bzip2 file, test it on other AV products, too.
>
> The file contains, 'EICAR Test String' burried in 49647
> directories. This is just a RAW 'proof of concept'. A few
> 100kb's of compressed file could be crafted in a way... NAV
> will take hours or MIGHT even days to complete the scan
> causing 100% cup use in email gateways for hours. The
> compressed archive must not necessarily be a '.zip' to
> trigger this attack.
> PLEASE: ...test this issue with other AV / trojan scanners
> as they might also be vulnerable.
>
> -----------
> Bipin Gautam
> http://www.geocities.com/visitbipin/
>
> Disclaimer: The information in the advisory is believed to be
> accurate at the time of printing based on currently available
> information. Use of the information constitutes acceptance
> for use in an AS IS condition. There are no warranties with
> regard to this information. Neither the author nor the
> publisher accepts any liability for any direct, indirect or
> consequential loss or damage arising from use of, or reliance
> on this information.
>
Received on Jul 12 2004
Intro
