lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Aug 23 19:56:41 2005
From: kf_lists at digitalmunition.com (KF (lists))
Subject: Re: Secunia Research: HAURI Anti-Virus
	Compressed Archive Directory Traversal

Since we are talking about HAURI... there are a few exploitable system() 
calls in the local setuid binaries. I have been to lazy to write them 
up. Perhaps soon I'll get off my ass and document them.

Off the top of my head I think the setuid virobot binary calls 
system("clear");
-KF

Steven M. Christey wrote:

>>The vulnerability is caused due to unsafe extraction of compressed
>>archives (e.g. ACE, ARJ, CAB, LZH, RAR, TAR and ZIP) into a temporary
>>directory before scanning. This can be exploited to write files into
>>arbitrary directories when scanning a malicious archive containing
>>files that have "/../" or "../../" directory sequences in their
>>filenames.
>>
>>...
>>
>>Apply patches.
>>
>>ViRobot Linux Server 2.0:
>>http://www.globalhauri.com/html/download/down_unixpatch.html
>>    
>>
>
>This vendor page is titled "ViRobot Unix/Linux Server Security
>Vulnerability Patch."
>
>However, it goes on to describe a buffer overflow problem:
>
>  1. Patch for Buffer Over Flow Vulnerability
>  - Vulnerability Type
>  : Buffer Over Flow
>
>  - Introduction to Patch
>  : Vulnerability Patch for BOF(Buffer Over Flow) via HTTP_COOKIE
>
>
>There is no mention of directory traversal.
>
>This inconsistency makes it unclear whether HAURI has specifically
>fixed the directory traversal issue, and in addition it mentions
>another potentially more serious issue that has likely been missed by
>most advisory readers.
>
>- Steve
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ