The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
CA eTrust AntiVirus WebScan Manifest Processing Buffer Overflow (Technical
Details)
------------------------------------------------------------------------
SUMMARY
CA eTrust Antivirus WebScan contains multiple vulnerabilities that can
allow remote attackers to gain privileged access or execute arbitrary
code. The first vulnerability allows attackers to install arbitrary files.
The second vulnerability is due to improper processing of outdated WebScan
components. Finally, the third vulnerability is due to improper bounds
checking when processing certain user input. Remote attackers can exploit
these vulnerabilities to gain escalated privileges or execute arbitrary
code.
DETAILS
This vulnerability allows remote attackers to execute arbitrary code on
systems with affected installations of the Computer Associates eTrust
AntiVirus WebScan ActiveX component. Successful exploitation requires that
the target user browse to a malicious web page. The vulnerable component
is typically installed as a prerequisite to the free online WebScan found
at: <http://www3.ca.com/securityadvisor/virusinfo/scan.aspx>
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
The specific flaw exists during WebScan's processing of the actual
manifest files delivered during a scanner update check. It downloads a
'filelist.txt' file from this server, which is used as a manifest file to
describe the updates available. Each line of the file consists of four
fields in the following form:
[file name] [decimal integer] [decimal integer] [decimal integer]
A lack of bounds checking on the file names specified in update manifests
may lead to a buffer overflow that can be easily exploited to execute
arbitrary code. As WebScan allows the server for update downloads to be
specified on a web page as an initialization parameter, a malicious
manifest can be delivered from any server; it is not necessary to
impersonate a legitimate update server.
Vendor Response:
Computer Associates has addressed this issue in the latest version of
their WebScan product. More information from the vendor is available at:
<http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34509>
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34509
Disclosure Timeline:
2006.07.17 - Vulnerability reported to vendor
2006.07.26 - Digital Vaccine released to TippingPoint customers
2006.08.07 - Coordinated public release of advisory
ADDITIONAL INFORMATION
The information has been provided by Matthew Murphy, TippingPoint Security
Research Team.
The original article can be found at:
<http://www.tippingpoint.com/security/advisories/TSRT-06-06.html>
http://www.tippingpoint.com/security/advisories/TSRT-06-06.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
