> -----Original Message-----
> From: binagres@xxxxxxxxx [mailto:binagres@xxxxxxxxx]
> Sent: Friday, May 11, 2007 4:27 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Computer Associates eTrust InoTask.exe Antivirus
> Buffer Overflow Vulnerability
>
> Hi,
>
> Here binagres aka (...), for all the "vinagreta" :
>
> ----------------------------------------------------------------------
> | 48Bits Advisory -=- Privilege Elevation in eTrust
> Antivirus Agent r8 |
>
> ----------------------------------------------------------------------
>
> Affected versions :
>
> - eTrust Antivirus Agent r8 -
>
> (With INOCORE.DLL
> 8.0.403.0) under XPSP2 and W2KSP4)
>
> Description :
>
> eTrust Antivirus r8 is prone to a stack-based buffer
> overflow vulnerability.
>
> The Affected component is "eTrust Task service" running
> as a Windows service,
> the executable file is located at:
>
> "%PROGRAMFILES%\CA\eTrustITM\InoTask.exe"
>
> eTrust Task service uses a shared file mapping named
> "INOQSIQSYSINFO" as an
> IPC mechanism, this file mapping have a NULL security
> descriptor so anyone
> can view/modify it. This mapping contains information
> about scheduled tasks,
> including a field where is specified the file job´s path.
>
> The vulnerable code is located at IN0CORE.DLL in the
> function QSIGetQueueID
> which internally calls QSIGetQuePath passing a fixed
> buffer in order to
> retrieve the queue path, no validation is done for the
> buffer size.
>
> In order to exploit the vulnerability, malicious users
> can modify directly
> the buffer through the file mapping with a long file
> path, so when InnoTask
> read it the mentioned stack-based buffer overflow will
> be triggered.
>
> exploit here :
>
> Cheers,
>
> binagres
>
>
>
