The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Computer Associates Vet Antivirus Library Heap Overflow
------------------------------------------------------------------------
SUMMARY
Computer Associates Vet library "provides anti-virus scan engine
capabilities. Vet scan engines allow products to analyze various streams
for malware".
Vet is vulnerable to an integer wrap during the analysis of an OLE stream.
The integer wrap causes an arbitrary heap overflow with no character
restrictions allowing remote attackers control of the system(s) Vet is
protecting.
DETAILS
Vulnerable Systems:
* CA InoculateIT 6.0 (all platforms including Notes/Exchange
* CA eTrust Antivirus r6.0 all platforms including Notes/Exchange
* CA eTrust Antivirus r7.0 all platforms including Notes/Exchange
* CA eTrust Antivirus r7.1 all platforms including Notes/Exchange
* CA eTrust Antivirus for the Gateway r7.0 all modules and platforms
* CA eTrust Antivirus for the Gateway r7.1 all modules and platforms
* CA eTrust Secure Content Manager all releases
* CA eTrust Intrusion Detection all releases
* CA BrightStor ARCserve Backup (BAB) r11.1 Windows
* CA Vet Antivirus
* Zonelabs ZoneAlarm Security Suite
* Zonelabs ZoneAlarm Antivirus
Vet Antivirus Library contains various file format engines to parse
streams for malware. The vulnerable file format engine parses embedded OLE
objects. The vulnerability can be triggered through multiple file formats
because Vet looks for OLE objects in a variety of file streams, e.g.,
Access, Word, PowerPoint, Excel, Visio, etc. Specifically, the
vulnerability is in the processing of decompressed VBA macro object
headers with the project name type set. Following the 16 bit type is a 32
bit length which is incremented and passed to new(). The un-incremented 32
bit length is then passed to a buffered read function.
The vulnerable code path requires the decompressed 16 bit type to be 4,
and the decompressed 32 bit length to be -1. -1 is incremented to zero and
passed to new(0) which allocates a small chunk (probably 16 bytes). The
buffered read copies the entire decompressed stream into the small chunk,
overflowing the chunks below it. The size of the decompressed stream is
limited to 4096 bytes.
Successful exploitation of protected systems allows attackers unauthorized
control of data and privileges. It also provides leverage for further
network compromise. This vulnerability can be exploited remotely through
common protocols, such as SMTP, FTP, SMB, etc. It can be triggered without
authentication or user interaction and allows multiple exploitation
attempts. Vet implementations are likely vulnerable in their default
configuration.
ADDITIONAL INFORMATION
The information has been provided by <mailto:list@rem0te.com> rem0te.com.
The original article can be found at:
<http://www.rem0te.com/public/images/vet.pdf>
http://www.rem0te.com/public/images/vet.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
