[NT] AVG Anti-Virus Arbitrary Code Execution



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



AVG Anti-Virus Arbitrary Code Execution
------------------------------------------------------------------------


SUMMARY

Grisoft is "focused on developing software solutions that provide
protection from computer viruses. Grisoft's primary focus is to deliver
the most comprehensive and proactive protection available on the market.

Distributed globally through resellers and through the internet, the AVG
Anti-Virus product line supports all major operating systems and
platforms. More than 40 million users around the world use Grisoft AVG
products to protect their computers and networks".

Multiple vulnerabilities have been found in AVG Anti-Virus's file parsing
engine which allow attackers to overflow internal buffers and cause
denial of service.

DETAILS

Vulnerable Systems:
* AVG Antivirus software version 7.1.406 and prior

Immune Systems:
* AVG Antivirus software version 7.1.407 or newer

In detail, the following flaws were determined:
* Heap Overflow through Integer Overflow in .CAB file parsing
* Uninitialized Variable flaw in .CAB file parsing.
* Divide by Zero in .DOC file parsing.
* Heap Overflow through Integer Overflow in .RAR file parsing
* Integer Issues in .EXE file parsing.

These problems can lead to remote arbitrary code execution if an attacker
carefully crafts a file that exploits one or more of the aforementioned
vulnerabilities. The vulnerabilities are present in AVG Antivirus
software versions prior to 7.1.407.

Solution:
The vulnerabilities were reported on Aug 24 and the fixes were released on
Sep 20. The updated software versions are available from
http://www.grisoft.com/doc/10/lng/us/tpl/tpl01

Disclosure Timeline:
2006/08/24 - initial notification to Grisoft Inc.
2006/08/24 - Grisoft Inc. Response
2006/08/25 - PGP keys exchange
2006/08/25 - PoC files sent to Grisoft Inc.
2006/08/30 - Bugs Confirmation, Timeframe Coordination for patchs
development and testing
2006/09/20 - Grisoft Inc. released Update with fixes


ADDITIONAL INFORMATION

The information has been provided by Sergio Alvarez.
The original article can be found at:
<http://www.grisoft.com/doc/36365/lng/us/tpl/tpl01>
http://www.grisoft.com/doc/36365/lng/us/tpl/tpl01



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.