SECURITY.NNOV: KAV (AVP) for sendmail format string vulnerability

From:	 3APA3A <3APA3A@SECURITY.NNOV.RU>
To:	 bugtraq@securityfocus.com
Subject: SECURITY.NNOV: KAV (AVP) for sendmail format string vulnerability
Date:	 Thu, 21 Jun 2001 12:48:53 +0400

Hello ,


Topic:                    Format string vulnerability in KAV* for sendmail
Author:                   3APA3A <3APA3A@security.nnov.ru>
Affected Software:        KAV for sendmail 3.5.135.2
Vendor:                   Kaspersky Lab
Vendor Notified:          30 May 2001
Risk:                     Average/High depending on configuration
Remotely Exploitable:     Yes
Impact:                   DoS/Remote code execution
Released:                 06 June 2001
Vendor URL:               http://www.kaspersky.com
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

 *KAV = "Kaspersky AntiVirus" formerly known as AVP.

Background:

KAV  for  sendmail  is  antiviral  product of Kaspersky Lab's KAV suit
(formerly  known  as  AVP)  one  of  very  few  commercially available
multiplatform   antiviral  products  for  servers,  workstations,  CVP
Firewalls  and  messaging  systems  (Exchange, Lotus, Sendmail, QMail,
Postfix)  under  DOS,  Windows 95/98/ME/NT/2000, OS/2, Linux, FreeBSD,
BSDI  and soon for Solaris (feel free to contact support@kaspersky.com
if you need it for different platform).

Problem:

While  testing  this  software  by permission of Kaspersky Lab, format
string bug was found in syslog() call in avpkeeper

 /usr/local/share/AVP/avpkeeper/avpkeeper

utility, which is launched from sendmail to scan and desinfect messages.

Impact:

Intruders can cause Denial of Service and potentially can execute code
remotely  with  root  or  group mail privileges, depending on sendmail
installation  (code  execution  is  not  trivial, if possible, because
format string must conform RFC 821/2821 e-mail address requirements to
bypass sendmail).

Vendor:

Kaspersky  Lab was contacted on May, 30. Patched version was delivered
in  24  hours, but no alerts were sent to users and no fixes were made
available  for  public  download.  Vendor  was  also  informed  on few
potential local race conditions with mktemp()/mkdtemp().

Workaround:

Diasable syslog. In avpkeeper.ini set
 usesyslog=no

Solution:

Since  AVP for Unix products are not open source and are not available
for  free download please contact support@kaspersky.com to get patches
for registered version of KAV/AVP or to get demo version for testing.


This  advisory is being provided to you under the policy documented at
http://www.wiretrip.net/rfp/policy.html.


-- 
http://www.security.nnov.ru
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)