[NT] AhnLab V3 Antivirus Archive Handling Buffer Overflow (ALZ/UUE/XXE)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

AhnLab V3 Antivirus Archive Handling Buffer Overflow (ALZ/UUE/XXE)
------------------------------------------------------------------------

SUMMARY

<http://global.ahnlab.com/products/home_desktop.html> AhnLab V3 is "a
full-featured security solution that provides complete protection to your
computer against different types of malicious codes such as viruses,
Internet worms, and Trojan horses".

Due to lack of proper bounds check in AhnLab V3, an attacker can exploit
ALZ, UUE or XXE archives to run arbitrary code on a vulnerable machine.

DETAILS

Vulnerable Systems:
* AhnLab V3Pro 2004 (V3 VirusBlock 2005 international) (Build 6.0.0.457)
* AhnLab V3Net for Windows Server 6.0 (Build 6.0.0.457)
* AhnLab MyV3 with AzMain.dll version 1.3.11.15

Secunia Research has discovered a vulnerability in AhnLab V3 Antivirus,
which can be exploited by malicious people to compromise a vulnerable
system.

The vulnerability is caused due to a boundary error in the archive
decompression library when reading the filename of a compressed file from
an ALZ, UUE or XXE archive. This can be exploited to cause a stack-based
buffer overflow (ALZ), or a heap-based buffer overflow (UUE/XXE), when a
malicious ALZ/UUE/XXE archive is scanned.

Successful exploitation allows arbitrary code execution, but requires that
compressed file scanning is enabled.

Solution:
AhnLab V3Pro 2004 (V3 VirusBlock 2005 international): Update to version
6.0.0.488 via Smart Update.
AhnLab V3Net for Windows Server 6.0: Update to version 6.0.0.488 via Smart
Update.
AhnLab MyV3: The vulnerability has reportedly been fixed in the vendor's
Korean MyV3 website.

Disclosure Timeline:
19/09/2005 - Initial vendor notification.
20/09/2005 - Initial vendor response.
13/10/2005 - Vendor releases advisory.
13/10/2005 - Public disclosure.

Vendor Status:
The vendor has issued an advisory, which can be found at:
<http://global.ahnlab.com/security/security_advisory002.html>
http://global.ahnlab.com/security/security_advisory002.html

ADDITIONAL INFORMATION

The original article can be found at:
<http://secunia.com/advisories/16851/>
http://secunia.com/advisories/16851/

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.