Re: [Full-disclosure] Re: Secunia Research: HAURI Anti-Virus Compressed Archive Directory Traversal

From: Mark Sec (mark.sec_at_gmail.com)
Date: 08/23/05

  • Next message: MadHat: "Re: [Full-disclosure] Zotob Worm Remover" 
    Date: Tue, 23 Aug 2005 12:19:52 -0700
To: "KF (lists)" <kf_lists@digitalmunition.com>, coley@mitre.org, full-disclosure@lists.grok.org.uk

    I have Hauri Antivirus, nice research but i remember Alex Hernandez on
    the wild with nice bugs, but i dont see nothing on the wild about him
    :-) nice research :-)

    greets to:

    Alex Hernandez and KF

    - Mark
    CISSP

    On 23/08/05, KF (lists) <kf_lists@digitalmunition.com> wrote:
    > Since we are talking about HAURI... there are a few exploitable system()
    > calls in the local setuid binaries. I have been to lazy to write them
    > up. Perhaps soon I'll get off my ass and document them.
    >
    > Off the top of my head I think the setuid virobot binary calls
    > system("clear");
    > -KF
    >
    > Steven M. Christey wrote:
    >
    > >>The vulnerability is caused due to unsafe extraction of compressed
    > >>archives (e.g. ACE, ARJ, CAB, LZH, RAR, TAR and ZIP) into a temporary
    > >>directory before scanning. This can be exploited to write files into
    > >>arbitrary directories when scanning a malicious archive containing
    > >>files that have "/../" or "../../" directory sequences in their
    > >>filenames.
    > >>
    > >>...
    > >>
    > >>Apply patches.
    > >>
    > >>ViRobot Linux Server 2.0:
    > >>http://www.globalhauri.com/html/download/down_unixpatch.html
    > >>
    > >>
    > >
    > >This vendor page is titled "ViRobot Unix/Linux Server Security
    > >Vulnerability Patch."
    > >
    > >However, it goes on to describe a buffer overflow problem:
    > >
    > > 1. Patch for Buffer Over Flow Vulnerability
    > > - Vulnerability Type
    > > : Buffer Over Flow
    > >
    > > - Introduction to Patch
    > > : Vulnerability Patch for BOF(Buffer Over Flow) via HTTP_COOKIE
    > >
    > >
    > >There is no mention of directory traversal.
    > >
    > >This inconsistency makes it unclear whether HAURI has specifically
    > >fixed the directory traversal issue, and in addition it mentions
    > >another potentially more serious issue that has likely been missed by
    > >most advisory readers.
    > >
    > >- Steve
    > >_______________________________________________
    > >Full-Disclosure - We believe in it.
    > >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > >Hosted and sponsored by Secunia - http://secunia.com/
    > >
    > >
    > >
    > >
    > >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: MadHat: "Re: [Full-disclosure] Zotob Worm Remover"