[NT] Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.trendmicro.com/en/home/us/home.htm> Trend Micro AntiVirus is
"an virus scanning engine included in a wide array of products by Trend
Micro. Several examples of vulnerable products include PC-cillin and
Internet Security Suite". Remote exploitation of a divide by zero error in
Trend Micro AntiVirus may allow attackers to cause a denial of service.

DETAILS

Vulnerable Systems:
* Trend Micro AntiVirus version 14.10.1041, engine version 8.320.1003

Immune Systems:
* Upgrade to Virus Pattern File 4.335.00 (or newer)

The vulnerability exists in the kernel driver, VsapiNT.sys. This driver is
responsible for scanning various file formats for malicious content. The
code that parses UPX files takes an integer value from an attacker
supplied file and uses it as a divisor. This results in a divide by zero
error in kernel mode. This causes a kernel fault resulting in a blue
screen of death (BSOD).

Analysis:
Exploitation of this vulnerability results not only in a DOS of the Trend
Micro process, but in an operating system crash.

There are several different attack vectors depending on which product is
being targeted. Someone targeting a home user would need to convince a
user to download a file from a website or an attachment from an email
message. The user would then need to manually scan this file or save it
and have the Trend Micro auto scan process scan it at some later time. If
instead a mail gateway is being targeted this vulnerability can be
exploited automatically by sending a malicious attachment through a
gateway that uses Trend Micro to scan content.

Vendor response:
"To address this vulnerability, Trend Micro recommends customers to update
to Virus Pattern File 4.335.00 or higher."

For more information, consult the Trend Micro Knowledge Base article at
the link shown below:
<http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034587>
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034587

Disclosure timeline:
02/27/2007 - Initial vendor notification
02/27/2007 - Initial vendor response
03/14/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=488>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=488



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages