Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerabili

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability
Date: 15 Mar 2007 11:00:13 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability
------------------------------------------------------------------------


SUMMARY

 <http://www.trendmicro.com/en/home/us/home.htm> Trend Micro AntiVirus is 
"an virus scanning engine included in a wide array of products by Trend 
Micro. Several examples of vulnerable products include PC-cillin and 
Internet Security Suite". Remote exploitation of a divide by zero error in 
Trend Micro AntiVirus may allow attackers to cause a denial of service.

DETAILS

Vulnerable Systems:
 * Trend Micro AntiVirus version 14.10.1041, engine version 8.320.1003

Immune Systems:
 * Upgrade to Virus Pattern File 4.335.00 (or newer)

The vulnerability exists in the kernel driver, VsapiNT.sys. This driver is 
responsible for scanning various file formats for malicious content. The 
code that parses UPX files takes an integer value from an attacker 
supplied file and uses it as a divisor. This results in a divide by zero 
error in kernel mode. This causes a kernel fault resulting in a blue 
screen of death (BSOD).

Analysis:
Exploitation of this vulnerability results not only in a DOS of the Trend 
Micro process, but in an operating system crash.

There are several different attack vectors depending on which product is 
being targeted. Someone targeting a home user would need to convince a 
user to download a file from a website or an attachment from an email 
message. The user would then need to manually scan this file or save it 
and have the Trend Micro auto scan process scan it at some later time. If 
instead a mail gateway is being targeted this vulnerability can be 
exploited automatically by sending a malicious attachment through a 
gateway that uses Trend Micro to scan content.

Vendor response:
"To address this vulnerability, Trend Micro recommends customers to update 
to Virus Pattern File 4.335.00 or higher."

For more information, consult the Trend Micro Knowledge Base article at 
the link shown below:  
<http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034587> 
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034587

Disclosure timeline:
02/27/2007 - Initial vendor notification
02/27/2007 - Initial vendor response
03/14/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:  
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=488> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=488



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability, SecuriTeam <=
Previous by Date:  [NT] Phishing Using IE7 Local Resource Vulnerability, SecuriTeam
Next by Date:  [UNIX] OpenBSD's IPv6 mbufs Kernel Buffer Overflow, SecuriTeam
Previous by Thread:  [NT] Phishing Using IE7 Local Resource Vulnerability, SecuriTeam
Next by Thread:  [UNIX] OpenBSD's IPv6 mbufs Kernel Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]