>
> Computer Associates eTrust InoTask.exe Antivirus Buffer Overflow
> Vulnerability
>
> iDefense Security Advisory 05.09.07
>
> May 09, 2007
>
> I. BACKGROUND
>
> Computer Associates' eTrust Antivirus is a client antivirus
> scanner. It
> is distributed in standalone packages and also as part of the Internet
> Security Suite. More information can be found on the vendor's website
> at the following URL.
>
>
>
> II. DESCRIPTION
>
> Local exploitation of a buffer overflow vulnerability in Computer
> Associates International Inc.'s (CA) eTrust Antivirus allows attackers
> to execute arbitrary code with SYSTEM privileges.
>
> The Task Service component of eTrust Antivirus, InoTask.exe,
> is used to
> schedule and execute tasks such as scanning the system for virii. The
> service uses a shared file mapping to share information about
> scheduled
> tasks. The file mapping has a NULL security descriptor, which
> allows any
> user to modify its contents. By modifying a string inside of this
> mapping an attacker can trigger a stack based overflow in the InoTask
> process.
>
> III. ANALYSIS
>
> Exploitation allows an attacker to elevate privileges to SYSTEM on the
> targeted host.
>
> A local user account is required to exploit this vulnerability; it can
> not be triggered remotely.
>
> When exploiting this vulnerability, an attacker can cause the copy
> operation to write past the end of the stack. This triggers an
> exception, and results in execution of attacker supplied code when
> calling the SEH function.
>
> IV. DETECTION
>
> iDefense confirmed that CA eTrust Antivirus r8 on Windows is
> vulnerable.
>
> V. WORKAROUND
>
> iDefense is currently unaware of any workarounds for this issue.
>
> VI. VENDOR RESPONSE
>
> "CA has issued an update to address the vulnerabilities. The patched
> files are available as part of the product's automatic
> content update."
>
> For more information consult Computer Associates' Security
> Notice at the
> following URL.
>
>
> ecnotice050807.asp
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2007-2523 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 02/07/2007 Initial vendor notification
> 02/07/2007 Initial vendor response
> 05/09/2007 Coordinated public disclosure
>
> IX. CREDIT
>
> This vulnerability was reported to iDefense by binagres.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2007 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> _______________________________________________
> To unsubscribe, go here:
>
>
