[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <430B735F.5000508@digitalmunition.com>
Date: Tue Aug 23 19:56:41 2005
From: kf_lists at digitalmunition.com (KF (lists))
Subject: Re: Secunia Research: HAURI Anti-Virus
Compressed Archive Directory Traversal
Since we are talking about HAURI... there are a few exploitable system()
calls in the local setuid binaries. I have been to lazy to write them
up. Perhaps soon I'll get off my ass and document them.
Off the top of my head I think the setuid virobot binary calls
system("clear");
-KF
Steven M. Christey wrote:
>>The vulnerability is caused due to unsafe extraction of compressed
>>archives (e.g. ACE, ARJ, CAB, LZH, RAR, TAR and ZIP) into a temporary
>>directory before scanning. This can be exploited to write files into
>>arbitrary directories when scanning a malicious archive containing
>>files that have "/../" or "../../" directory sequences in their
>>filenames.
>>
>>...
>>
>>Apply patches.
>>
>>ViRobot Linux Server 2.0:
>>http://www.globalhauri.com/html/download/down_unixpatch.html
>>
>>
>
>This vendor page is titled "ViRobot Unix/Linux Server Security
>Vulnerability Patch."
>
>However, it goes on to describe a buffer overflow problem:
>
> 1. Patch for Buffer Over Flow Vulnerability
> - Vulnerability Type
> : Buffer Over Flow
>
> - Introduction to Patch
> : Vulnerability Patch for BOF(Buffer Over Flow) via HTTP_COOKIE
>
>
>There is no mention of directory traversal.
>
>This inconsistency makes it unclear whether HAURI has specifically
>fixed the directory traversal issue, and in addition it mentions
>another potentially more serious issue that has likely been missed by
>most advisory readers.
>
>- Steve
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
>
Powered by blists - more mailing lists