McAfee VirusScan DUNZIP32.dll Buffer Overflow Vulnerability

2006.03.31
Credit: Juha-Matti Laurio
Risk: High
Local: No
Remote: Yes
CVE: CVE-2004-1094
CWE: CWE-Other


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Networksecurity.fi Security Advisory (30-03-2006) Title: McAfee VirusScan DUNZIP32.dll Buffer Overflow Vulnerability Criticality: High (3/3) Affected software: McAfee VirusScan versions 10 Build 10.0.21 and prior Author: Juha-Matti Laurio Date: 30th March, 2006 Advisory ID: Networksecurity.fi Security Advisory (30-03-2006) (#16) CVE reference: CVE-2004-1094 - From the vendor: "VirusScan - Always-updated protection against PC viruses. Safeguard your hard drive, email, attachments and downloads from known and unknown viruses, mass-mailing worms, Trojans and potentially unwanted programs (PUPs) like spyware." - Description: McAfee ViruScan anti-virus software is confirmed as affected to remote type buffer overflow vulnerability. The vulnerability is caused due to a boundary error in a 3rd-party compression library's (DUNZIP32.dll) old, vulnerable version used when handling packed signature files. InnerMedia DynaZip compression library mentioned is responsible for virus description file unpacking operations. This can be exploited to cause a buffer overflow via a specially crafted signature file. When a specially crafted virus definition package containing a file with an overly long filename (a file name or files inside a package) is opened the attacker may be able to execute arbitrary code on user's system (see VU#582498 reference). Opening of signature file is an automatic operation of product's SecurityCenter. - Detailed description: Affected DynaZip library examined is version from April, 2005, file version 3.x. According to InnerMedia company versions 5.00.03 and prior are affected. The following file was copied to C:Program FilesMcAfee.comShared directory during an installation process when tested: File name: dunzip32.dll Time stamp: 8th April, 2005 File version: 3.0.0.14 Description: DynaZIP-32 Multi-Threading UnZIP DLL Copyright information: Copyright (c) Inner Media, Inc. 1993-1996, All Rights Reserved. The following processes use Dunzip32.dll library: C:PROGRA~1McAfee.comAgentmcupdmgr.exe (McAfee SecurityCenter Update Manager v6.x) C:PROGRA~1McAfee.comSharedmghtml.exe (McAfee Security HTML Dialog v4.x) From US-CERT VU#582498: "Impact: If a remote attacker can persuade a user to access a specially crafted zip file, the attacker may be able to execute arbitrary code on that user's system possibly with elevated privileges." - Affected versions: The vulnerability has been confirmed in version 10 Build 10.0.21, Engine version 4400 in use. Other versions may also be affected. McAfee SecurityCenter Agent version 6.0.0.16 was used when tested. The following products use an affected component: McAfee VirusScan - OS: Tests was done with Microsoft Windows XP Professional SP2 and Microsoft Windows 2000 Professional SP4 fully patched. - Solution status: Vendor has issued a patch shipped with immune library version 5.00.06. It can be obtained by downloading an updated product version or using product's SecurityCenter Updates feature. Non-affected library has the following time stamp: 30th December, 2005. According to vendor response localized builds has been fixed as well. Tested non-affected product version: Build 10.0.27 Vendor is reportedly in process to publish FAQ (version release) document to the McAfee/Network Associates KnowledgeBase (http://knowledgemap.nai.com/KanisaSupportSite/supportcentral/supportcen tral.do?id=m1&language=en_US ). Vendor and vendor Product Page: McAfee, Inc. http://www.mcafee.com http://us.mcafee.com/root/package.asp?pkgid=100&cid=16269 - Solution: Apply an updated product version or update product via SecurityCenter. Workarounds: No working workarounds available. - CVE information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2004-1094 on 3rd March, 2006 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org ), which standardizes names for security problems. - References: US-CERT VU#582498: "InnerMedia DynaZip library vulnerable to buffer overflow via long file names" http://www.kb.cert.org/vuls/id/582498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1094 Credit information: This vulnerability was researched by Juha-Matti Laurio, Networksecurity.fi. Thu full version of security advisory and research timeline is located at http://www.networksecurity.fi/advisories/mcafee-virusscan.html Timeline: 23-Dec-2005 - Vulnerability researched and confirmed 29-Dec-2005 - Vendor was contacted 30-Dec-2005 - Vendor's reply 11-Jan-2006 - AVERT Labs informs about started version testing process 02-Mar-2006 - New contact to the vendor 02-Mar-2006 - Vendor's reply, issue was fixed on 24th January, vendor informs about upcoming FAQ release document 27-Mar-2006 - New contact to the vendor asking the state of FAQ release 30-Mar-2006 - Security companies and several CERT units contacted 30-Mar-2006 - Public disclosure


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top