Secunia

Secunia research has discovered some vulnerabilities in AhnLab V3 Antivirus, which can be exploited by malicious, local users to gain escalated privileges, or by malicious people to compromise a vulnerable system.

1) The real-time scan driver, v3flt2k.sys, does not validate the source of received "DeviceIoControl()" commands. This can be exploited by non-administrative users to run explorer.exe with SYSTEM privileges, or to disable the real-time scan engine, via specially crafted DeviceIoControl requests,

2) A boundary error in the ACE archive decompression library can be exploited to cause a stack-based buffer overflow when a malicious ACE archive containing a compressed file with an overly long filename is scanned.

Successful exploitation allows execution of arbitrary code, but requires that compressed file scanning is enabled.

3) A directory traversal error in the archive decompression library can be exploited to write files to arbitrary directories when a malicious archive containing compressed files with directory traversal sequences in their filenames is scanned.

Vulnerability #2 and #3 are related to:
SA14359

The vulnerabilities have been confirmed in Build 6.0.0.383 of the following products:
* AhnLab V3Pro 2004 (AhnLab V3 VirusBlock 2005 outside Korea)
* AhnLab V3Net for Windows Server 6.0

Solution
Update to version 6.0.0.457 via online update.

Provided and/or discovered by
Tan Chew Keong, Secunia Research

Changelog
Further details available in Customer Area

Original Advisory
AhnLab:
http://info.ahnlab.com/english/advisory/01.html

Secunia Research:
http://secunia.com/secunia_research/2005-17/advisory/

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area