Thread-topic: iDefense Security Advisory 03.14.07: Trend Micro Antivirus UPX ParsingKernel Divide by Zero Vulnerability
> -----Original Message-----
> From:
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@idefens
> e.com
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Wednesday, March 14, 2007 7:55 PM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 03.14.07: Trend Micro
> Antivirus UPX ParsingKernel Divide by Zero Vulnerability
>
> Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability
>
> iDefense Security Advisory 03.14.07
>
> Mar 14, 2007
>
> I. BACKGROUND
>
> Trend Micro AntiVirus is an virus scanning engine included in
> a wide array
> of products by Trend Micro. Several examples of vulnerable products
> include PC-cillin and Internet Security Suite.
>
>
>
> II. DESCRIPTION
>
> Remote exploitation of a divide by zero error in Trend Micro
> AntiVirus may
> allow attackers to cause a denial of service.
>
> The vulnerability exists in the kernel driver, VsapiNT.sys.
> This driver is
> responsible for scanning various file formats for malicious
> content. The
> code that parses UPX files takes an integer value from an attacker
> supplied file and uses it as a divisor. This results in a
> divide by zero
> error in kernel mode. This causes a kernel fault resulting in a blue
> screen of death (BSOD).
>
> III. ANALYSIS
>
> Exploitation of this vulnerability results not only in a DOS
> of the Trend
> Micro process, but in an operating system crash.
>
> There are several different attack vectors depending on which
> product is
> being targeted. Someone targeting a home user would need to convince a
> user to download a file from a website or an attachment from an email
> message. The user would then need to manually scan this file
> or save it
> and have the Trend Micro auto scan process scan it at some
> later time. If
> instead a mail gateway is being targeted this vulnerability can be
> exploited automatically by sending a malicious attachment through a
> gateway that uses Trend Micro to scan content.
>
> IV. DETECTION
>
> iDefense has confirmed the existence of this vulnerability in
> Trend Micro
> AntiVirus version 14.10.1041, engine version 8.320.1003.
> Previous versions
> may also be affected.
>
> V. WORKAROUND
>
> iDefense is currently unaware of any workarounds for this issue.
>
> VI. VENDOR RESPONSE
>
> "To address this vulnerability, Trend Micro recommends
> customers to update
> to Virus Pattern File 4.335.00 or higher."
>
> For more information, consult the Trend Micro Knowledge Base
> article at
> the link shown below.
>
>
>
> VII. CVE INFORMATION
>
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE)
> number has not
> been assigned yet.
>
> VIII. DISCLOSURE TIMELINE
>
> 02/27/2007 Initial vendor notification
> 02/27/2007 Initial vendor response
> 03/14/2007 Coordinated public disclosure
>
> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2007 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically.
> It may not be edited in any way without the express written consent of
> iDefense. If you wish to reprint the whole or any part of
> this alert in
> any other medium other than electronically, please e-mail
> customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be
> accurate at
> the time of publishing based on currently available
> information. Use of
> the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any
> direct, indirect,
> or consequential loss or damage arising from use of, or
> reliance on, this
> information.
> _______________________________________________
> To unsubscribe, go here:
>
>
