[NEWS] Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 11 Feb 2007 18:11:01 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
The <http://www.trendmicro.com/> Trend Micro AntiVirus scan engine
provides anti-virus capabilities to desktop, server and gateway systems.
The engine is licensed to several of Trend Micro's OEM partners.
Exploitation of a vulnerability in Trend Micro's AntiVirus scanner allows
attackers to crash the scan engine or execute arbitrary code via a
malformed UPX file.
DETAILS
Vulnerable Systems:
* Trend Micro's PC-Cillin Internet Security 2007
* VsapiNI.sys (scan engine) version 3.320.0.1003
* ServerProtect for Linux v2.5 on RHEL 4.x
* vsapiapp version 8.310
* (Any implementations based on Trend Micro's AntiVirus scan engine are
likely vulnerable in their default configuration.)
Remote exploitation of a buffer overflow vulnerability within Trend
Micro's AntiVirus engine could allow an attacker to crash the scan engine
or execute arbitrary code.
This vulnerability is caused by improper input validation when scanning
specially crafted malformed UPX compressed executables. Memory corruption
could occur leading to a invalid memory access or a potentially
exploitable condition.
This vulnerability could be used to gain unauthorized access to machines
through common protocols, e.g. SMTP, HTTP, FTP. No authentication is
required for an attacker to leverage this vulnerability.
Under Windows, the scan engine runs in kernel context. Under Linux, the
scan engine runs as a daemon with superuser privileges. As such, an
attacker can take complete control of the affected system if successful
code execution is attained.
Vendor Status:
"To address this vulnerability, Trend Micro recommends customers to update
to Virus Pattern File 4.245.00 or higher."
<http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034289>
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034289
Disclosure Timeline:
* 01/17/2007 - Initial vendor notification
* 01/19/2007 - Initial vendor response
* 02/07/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=470>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=470
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] RARLabs Unrar Password Prompt Buffer Overflow Vulnerability
- Next by Date: [NT] Trend Micro TmComm Local Privilege Escalation Vulnerability
- Previous by thread: [NEWS] RARLabs Unrar Password Prompt Buffer Overflow Vulnerability
- Next by thread: [NT] Trend Micro TmComm Local Privilege Escalation Vulnerability
- Index(es):
Relevant Pages
|
