ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: iDefense Security Advisory 02.07.07: Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability



> -----Original Message-----
> From: iDefense Labs [mailto:labs-no-reply@xxxxxxxxxxxx] 
> Sent: Wednesday, February 07, 2007 10:27 PM
> To: vulnwatch@xxxxxxxxxxxxx; 
> full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: iDefense Security Advisory 02.07.07: Trend Micro 
> AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability
> 
> Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability
> 
> iDefense Security Advisory 02.07.07
> http://labs.idefense.com/intelligence/vulnerabilities/
> Feb 07, 2007
> 
> I. BACKGROUND
> 
> The Trend Micro AntiVirus scan engine provides anti-virus 
> capabilities to
> desktop, server and gateway systems. The engine is licensed 
> to several of
> Trend Micro's OEM partners. More information is available on 
> Trend Micro's
> web site at the following URL.
> 
> http://www.trendmicro.com/
> 
> II. DESCRIPTION
> 
> Remote exploitation of a buffer overflow vulnerability within 
> Trend Micro's
> AntiVirus engine could allow an attacker to crash the scan engine or
> execute arbitrary code.
> 
> This vulnerability is caused by improper input validation 
> when scanning
> specially crafted malformed UPX compressed executables. 
> Memory corruption
> could occur leading to a invalid memory access or a potentially
> exploitable condition.
> 
> III. ANALYSIS
> 
> Exploitation allows attackers to crash the scan engine or 
> execute arbitrary
> code.
> 
> This vulnerability could be used to gain unauthorized access 
> to machines
> through common protocols, e.g. SMTP, HTTP, FTP. No authentication is
> required for an attacker to leverage this vulnerability.
> 
> Under Windows, the scan engine runs in kernel context. Under 
> Linux, the
> scan engine runs as a daemon with superuser privileges. As such, an
> attacker can take complete control of the affected system if 
> successful
> code execution is attained.
> 
> IV. DETECTION
> 
> iDefense has confirmed the existence of this vulnerability in our
> vulnerability lab. The configurations at verification time were as
> follows:
> 
>  * Trend Micro's PC-Cillin Internet Security 2007
>  * VsapiNI.sys (scan engine) version 3.320.0.1003
> 
>  * ServerProtect for Linux v2.5 on RHEL 4.x
>  * vsapiapp version 8.310
> 
> Any implementations based on Trend Micro's AntiVirus scan engine are
> likely vulnerable in their default configuration.
> 
> V. WORKAROUND
> 
> iDefense is currently unaware of any effective workaround for 
> this issue.
> 
> VI. VENDOR RESPONSE
> 
> "To address this vulnerability, Trend Micro recommends 
> customers to update
> to Virus Pattern File 4.245.00 or higher."
> 
> For more information, consult the Trend Micro Knowledge Base 
> article at
> the link shown below.
> 
> http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034289
> 
> VII. CVE INFORMATION
> 
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) 
> number has not
> been assigned yet.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 01/17/2007  Initial vendor notification
> 01/19/2007  Initial vendor response
> 02/07/2007  Coordinated public disclosure
> 
> IX. CREDIT
> 
> The discoverer of this vulnerability wishes to remain anonymous.
> 
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
> 
> Free tools, research and upcoming events
> http://labs.idefense.com/
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2006 iDefense, Inc.
> 
> Permission is granted for the redistribution of this alert 
> electronically.
> It may not be edited in any way without the express written consent of
> iDefense. If you wish to reprint the whole or any part of 
> this alert in
> any other medium other than electronically, please e-mail
> customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be 
> accurate at
> the time of publishing based on currently available 
> information. Use of
> the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any 
> direct, indirect,
> or consequential loss or damage arising from use of, or 
> reliance on, this
> information.
> 
> 



 




Copyright © Lexa Software, 1996-2009.