Secunia Research: HAURI Anti-Virus ACE Archive Handling Buffer Overflow

From: Secunia Research (vuln_at_SECUNIA.COM)
Date: 08/24/05

  • Next message: Russ: "Re: Administrivia: Zotob/PnP Exploit Survey - Forget the first message"
    Date:         Wed, 24 Aug 2005 10:30:15 +0200
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    ======================================================================

                         Secunia Research 24/08/2005

          - HAURI Anti-Virus ACE Archive Handling Buffer Overflow -

    ======================================================================
    Table of Contents

    Affected Software....................................................1
    Severity.............................................................2
    Description of Vulnerability.........................................3
    Solution.............................................................4
    Time Table...........................................................5
    Credits..............................................................6
    References...........................................................7
    About Secunia........................................................8
    Verification.........................................................9

    ======================================================================
    1) Affected Software

    ViRobot Expert 4.0
    ViRobot Advanced Server
    ViRobot Linux Server 2.0
    HAURI LiveCall

    Other versions may also be affected.

    ======================================================================
    2) Severity

    Rating: Highly Critical
    Impact: System access
    Where: Remote

    ======================================================================
    3) Description of Vulnerability

    Secunia Research has discovered a vulnerability in various HAURI
    anti-virus products, which can be exploited by malicious people to
    compromise a vulnerable system.

    The vulnerability is caused due to a boundary error in the ACE
    archive decompression library vrAZace.dll when extracting an archive.
    This can be exploited to cause a stack-based buffer overflow when
    scanning a malicious ACE archive containing a compressed file with
    a filename longer than 272 characters.

    Successful exploitation allows arbitrary code execution, but requires
    that compressed file scanning is enabled.

    The vulnerability is related to:
    http://secunia.com/SA14359

    ======================================================================
    4) Solution

    Apply patches.

    ViRobot Linux Server 2.0:
    http://www.globalhauri.com/html/download/down_unixpatch.html

    ViRobot Expert 4.0 / ViRobot Advanced Server:
    Update to the latest version via online update (vrazmain.dll
    version 5.8.22.137).

    HAURI LiveCall:
    Update to the latest version by visiting the vendor's LiveCall
    website (vrazmain.dll version 5.8.22.137).

    ======================================================================
    5) Time Table

    15/08/2005 - Initial vendor notification.
    17/08/2005 - Vendor released patch for VR Linux Server.
    23/08/2005 - Vendor released patch for VR Expert, VR Advanced Server
                 and LiveCall via online update.
    24/08/2005 - Public disclosure.

    ======================================================================
    6) Credits

    Discovered by Tan Chew Keong, Secunia Research.

    ======================================================================
    7) References

    HAURI:
    http://www.globalhauri.com/html/download/down_unixpatch.html

    ======================================================================
    8) About Secunia

    Secunia collects, validates, assesses, and writes advisories regarding
    all the latest software vulnerabilities disclosed to the public. These
    advisories are gathered in a publicly available database at the
    Secunia website:

    http://secunia.com/

    Secunia offers services to our customers enabling them to receive all
    relevant vulnerability information to their specific system
    configuration.

    Secunia offers a FREE mailing list called Secunia Security Advisories:

    http://secunia.com/secunia_security_advisories/

    ======================================================================
    9) Verification

    Please verify this advisory by visiting the Secunia website:
    http://secunia.com/secunia_research/2005-33/advisory/

    Complete list of vulnerability reports published by Secunia Research:
    http://secunia.com/secunia_research/

    ======================================================================

    --
    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    --
    

  • Next message: Russ: "Re: Administrivia: Zotob/PnP Exploit Survey - Forget the first message"

    Relevant Pages