CVE-2004-0934 in Sophos
Summary
by MITRE
Kaspersky 3.x to 4.x allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/13/2025
The vulnerability described in CVE-2004-0934 represents a significant weakness in Kaspersky antivirus software versions 3.x through 4.x that allows remote attackers to circumvent security protections through a carefully crafted compressed file attack. This flaw specifically targets the decompression and file validation mechanisms within the antivirus scanning process, creating a pathway for malicious code to evade detection and execute on target systems. The vulnerability exploits a fundamental parsing error in how the software handles compressed file structures, particularly when encountering files with malformed headers that should normally trigger security alerts or prevent execution.
The technical implementation of this vulnerability involves creating a compressed file where both local and global headers are set to zero, a condition that should typically be rejected by proper decompression routines as it violates standard archive format specifications. However, Kaspersky 3.x through 4.x versions fail to properly validate these header values during the decompression process, allowing the malformed archive to pass through security checks. This particular flaw falls under the category of improper input validation and weak file format handling, which are commonly associated with CWE-20 (Improper Input Validation) and CWE-129 (Improper Validation of Array Index) in the Common Weakness Enumeration framework. The vulnerability demonstrates a classic case of insufficient sanitization of input data before processing, where the antivirus software fails to properly validate the integrity of compressed files before attempting to decompress them.
The operational impact of this vulnerability extends beyond simple bypass of antivirus protection, as it represents a sophisticated attack vector that can be leveraged to deliver malware payloads through seemingly legitimate compressed files. Attackers can exploit this weakness to create malicious archives that appear to be normal compressed files but contain harmful code that executes when the target system attempts to decompress or access the contents. The vulnerability affects the core functionality of the antivirus software by undermining its ability to properly scan and validate file contents, potentially allowing attackers to establish persistent access to compromised systems. This type of attack aligns with techniques described in the MITRE ATT&CK framework under the T1059 (Command and Scripting Interpreter) and T1204 (User Execution) tactics, where attackers leverage file execution mechanisms to gain system access.
Mitigation strategies for this vulnerability require immediate software updates to patched versions of Kaspersky antivirus that properly validate compressed file headers and reject malformed archives. Organizations should implement additional layers of protection including network-based file scanning, content filtering, and strict file type restrictions to prevent execution of suspicious compressed files. System administrators should also consider implementing behavioral monitoring to detect unusual decompression activities and file access patterns that may indicate exploitation attempts. The vulnerability highlights the importance of comprehensive input validation and proper file format handling in security software, emphasizing that antivirus solutions must rigorously validate all input before processing to prevent similar bypass attacks. Organizations should also maintain awareness of similar vulnerabilities in other security products and ensure that their overall security posture includes multiple validation points to prevent single points of failure in malware detection mechanisms.