AhnLab V3 Antivirus v3flt2k.sys scan driver privilege escalation

ahnlab-v3flt2k-gain-privilege (22297) The risk level is classified as HighHigh Risk

Description:

AhnLab V3 Antivirus could allow a local attacker to gain elevated privileges caused by a vulnerability in the v3flt2k.sys scan driver. A local attacker could send a specially-crafted DeviceIoControl request to possibly disable the real-time scan engine and cause the user's Windows Explorer to run with SYSTEM level privileges.


Consequences:

Gain Privileges

Remedy:

Upgrade to the latest version of AhnLab V3 Antivirus (6.0.0.457 or later), as listed in ASEC Advisory SA-2005-001. See References.

References:

  • AhnLab V3Pro Web site: AhnLab V3Pro.
  • ASEC Advisory SA-2005-001: AhnLab V3 Compressed File Directory Traversal and Privilege Escalation Vulnerability.
  • BID-14844: Ahnlab V3 Antivirus ACE Archive Handling Remote Buffer Overflow Vulnerability
  • BID-14847: AEwebworks aeDating Search_Result.PHP SQL Injection Vulnerability
  • BID-14848: Ahnlab V3 Antivirus ACE Archive Handling Directory Traversal Vulnerability
  • BID-14850: Ahnlab V3 Antivirus Privilege Escalation Vulnerability
  • CVE-2005-2986: The v3flt2k.sys driver in AhnLab V3Pro 2004 Build 6.0.0.383, V3 VirusBlock 2005 Build 6.0.0.383, V3Net for Windows Server 6.0 Build 6.0.0.383 does not properly validate the source of the DeviceIoControl commands, which allows remote attackers to gain privileges.
  • CVE-2005-3029: Stack-based buffer overflow in AhnLab V3Pro 2004 build 6.0.0.383, V3 VirusBlock 2005 build 6.0.0.383, and V3Net for Windows Server 6.0 build 6.0.0.383 allows remote attackers to execute arbitrary code via a long filname in an ACE archive.
  • CVE-2005-3030: Directory traversal vulnerability in the archive decompression library in AhnLab V3Pro 2004 build 6.0.0.383, V3 VirusBlock 2005 build 6.0.0.383, and V3Net for Windows Server 6.0 build 6.0.0.383 allows remote attackers to write arbitrary files via a .. (dot dot) in the filename in a compressed archive.
  • SA15674: AhnLab V3 Antivirus Multiple Vulnerabilities

Platforms Affected:

  • AhnLab AhnLab V3 VirusBlock 2005 Build 6.0.0.383
  • AhnLab AhnLab V3Net for Windows Server 6.0 Build 6.0.0.383
  • AhnLab AhnLab V3Pro 2004 Build 6.0.0.383

Reported:

Sep 15, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page