Full Disclosure mailing list archives
RE: Norton AntiVirus Scanner Remote Denial Of ServiceVulnerability [Part: !!!]
From: bipin gautam <visitbipin () yahoo com>
Date: Thu, 8 Jul 2004 23:04:26 -0700 (PDT)
there was a mistake while uploading the file, Now the link is fixed!!! well, while scannng this archive NAV consumes 56MB of memory..... crafting a bigger archive may consume more memory!!! ps: the archive is not password protected, under certain condition some unzip utility... thinks a archive is password protected even while the archive isn't. ------------ bipin gautam --- "Peter B. Harvey (Information Security)" <peterharvey () emergency qld gov au> wrote:
Could you please password protect it and email it to me. Ill test on Trend Micro. Peter -----Original Message----- From: bipin gautam [mailto:visitbipin () yahoo com] Sent: Friday, July 09, 2004 10:40 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Norton AntiVirus Scanner Remote Denial Of ServiceVulnerability [Part: !!!] Anti-Virus Scanner Remote Denial Of Service Vulnerability [Part: !!!] *vulnerable [...only tested on!] Symantec Norton AntiVirus 2003 Professional Edition Symantec Norton AntiVirus 2002 *not vulnerable Mcafee 7* Mcafee 8* Risk Impact: Medium Remote: yes Description: While having a virus scan [automatic/manual] of some specially crafted compressed files; NAV triggers a DoS using 100% CPU for a very long time. Morover, NAV is unable to stop the scan in middle, even if the user wishes to manually stop the virus scan. Then, in this situation the only alternate is to kill the process. --- [Proof of Concept] --- Please download this file. http://www.geocities.com/visitbipin/av_bomb_3.zip <--- For symantec. http://www.geocities.com/visitbipin/EXTRACTit1st.zip <--- A bzip2 file, test it on other AV products, too. The file contains, 'EICAR Test String' burried in 49647 directories. This is just a RAW 'proof of concept'. A few 100kb's of compressed file could be crafted in a way... NAV will take hours or MIGHT even days to complete the scan causing 100% cup use in email gateways for hours. The compressed archive must not necessarily be a '.zip' to trigger this attack. I've decided not to contact SYMANTEC in any of my advisories since their "security responce team" is too slow to responce any reported incidence. PLEASE: ...test this issue with other AV / trojan scanners as they might also be vulnerable. ----------- Bipin Gautam http://www.geocities.com/visitbipin/ Disclaimer: The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This correspondence is for the named persons only. It may contain confidential or privileged information or both. No confidentiality or privilege is waived or lost by any mis transmission. If you receive this correspondence in error please delete it from your system immediately and notify the sender. You must not disclose, copy or relay on any part of this correspondence, if you are not the intended recipient. Any opinions expressed in this message are those of the individual sender except where the sender expressly, and with the authority, states them to be the opinions of the Department of Emergency Services, Queensland.
__________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Norton AntiVirus Scanner Remote Denial Of ServiceVulnerability [Part: !!!] bipin gautam (Jul 08)
- <Possible follow-ups>
- RE: Norton AntiVirus Scanner Remote Denial Of ServiceVulnerability [Part: !!!] bipin gautam (Jul 09)
- RE: Norton AntiVirus Scanner Remote Denial Of ServiceVulnerability [Part: !!!] bipin gautam (Jul 09)
- Re: Norton AntiVirus Scanner Remote Denial Of ServiceVulnerability [Part: !!!] Richard Massa (Jul 12)
- Re: Norton AntiVirus Scanner Remote Denial Of ServiceVulnerability [Part: !!!] Matt Cuttler (Jul 12)
- Re: Norton AntiVirus Scanner Remote Denial Of ServiceVulnerability [Part: !!!] Richard Massa (Jul 12)