Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Symantec Scan Engine RAR File Vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Symantec Scan Engine RAR File Vulnerabilities
Date: 27 Feb 2008 12:53:22 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Symantec Scan Engine RAR File Vulnerabilities
------------------------------------------------------------------------


SUMMARY

 
<http://www.symantec.com/enterprise/products/overview.jsp?pcid=1008&pvid=836_1> 
Symantec Scan Engine is a standalone Anti-Virus Engine that exposes a scanning 
Application Programming Interface (API) directly to developers who wish to 
integrate protection into their own custom applications. Two vulnerabilities 
revolving around handling of RAR files have been discovered in Symantec Scan 
Engine.

DETAILS

Vulnerable Systems:
 * Symantec Scan Engine version 5.1.2

Symantec Scan Engine RAR File Buffer Overflow Vulnerability
Remote exploitation of a stack based buffer overflow vulnerability in 
Symantec Scan Engine version 5.1.2 could allow an unauthenticated attacker 
to execute arbitrary code with the privileges of the scan engine process.

Symantec Scan Engine listens on TCP port 1344 to accept files for scanning 
using the Internet Content Adaptation Protocol (ICAP). If the service is 
sent a specially malformed RAR file, a stack-based buffer overflow will 
occur.

Analysis:
Exploitation allows remote unauthenticated attackers to execute arbitrary 
code with the privileges of the scan engine process. The scan engine can 
be configured to run either as a normal user or as root. In order to 
exploit this vulnerability, an attacker must be able to cause a malicious 
RAR file to be scanned by the Symantec Scan Engine. Normally, no 
authentication is required to reach the vulnerable code.

Vendor response:
Symantec has addressed this vulnerability by releasing updates for various 
versions of the Symantec Scan Engine. For more information, refer to their 
advisory at the following URL:  
<http://www.symantec.com/avcenter/security/Content/2008.02.27.html> 
http://www.symantec.com/avcenter/security/Content/2008.02.27.html

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0309> 
CVE-2008-0309

Disclosure Timeline:
06/14/2007 - Initial vendor notification
06/14/2007 - Initial vendor response
02/26/2008 - Coordinated public disclosure

Symantec Scan Engine RAR File Denial of Service Vulnerability
Remote exploitation of a Denial of Service vulnerability in Symantec Scan 
Engine version 5.1.2 could allow an unauthenticated attacker to create a 
denial of service (DoS) condition.

Symantec Scan Engine listens on TCP port 1344 to accept files for scanning 
using the Internet Content Adaptation Protocol (ICAP). If the service is 
sent a malformed RAR file, the service will consume massive amounts of 
memory. This can result in a denial of service condition for the 
application and operating system.

Analysis:
Exploitation allows remote unauthenticated attackers to cause the process 
to consume excessive amounts memory. In order to exploit this 
vulnerability, an attacker must be able to cause a malicious RAR file to 
be scanned by the Symantec Scan Engine. Normally, no authentication is 
required to reach the vulnerable code.

Vendor response:
Symantec has addressed this vulnerability by releasing updates for various 
versions of the Symantec Scan Engine. For more information, refer to their 
advisory at the following URL:  
<http://www.symantec.com/avcenter/security/Content/2008.02.27.html> 
http://www.symantec.com/avcenter/security/Content/2008.02.27.html

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0308> 
CVE-2008-0308

Disclosure Timeline:
06/14/2007 - Initial vendor notification
06/14/2007 - Initial vendor response
02/26/2008 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense Labs.
The original article can be found at:  
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=666> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=666 
and  
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=667> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=667



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Symantec Scan Engine RAR File Vulnerabilities, SecuriTeam <=
Previous by Date:  [NEWS] Mozilla Thunderbird MIME External-Body Heap Overflow Vulnerability, SecuriTeam
Previous by Thread:  [NEWS] Mozilla Thunderbird MIME External-Body Heap Overflow Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]