[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5598cfa1050823121953acb3a8@mail.gmail.com>
Date: Tue Aug 23 20:20:01 2005
From: mark.sec at gmail.com (Mark Sec)
Subject: Re: Secunia Research: HAURI Anti-Virus
Compressed Archive Directory Traversal
I have Hauri Antivirus, nice research but i remember Alex Hernandez on
the wild with nice bugs, but i dont see nothing on the wild about him
:-) nice research :-)
greets to:
Alex Hernandez and KF
- Mark
CISSP
On 23/08/05, KF (lists) <kf_lists@...italmunition.com> wrote:
> Since we are talking about HAURI... there are a few exploitable system()
> calls in the local setuid binaries. I have been to lazy to write them
> up. Perhaps soon I'll get off my ass and document them.
>
> Off the top of my head I think the setuid virobot binary calls
> system("clear");
> -KF
>
> Steven M. Christey wrote:
>
> >>The vulnerability is caused due to unsafe extraction of compressed
> >>archives (e.g. ACE, ARJ, CAB, LZH, RAR, TAR and ZIP) into a temporary
> >>directory before scanning. This can be exploited to write files into
> >>arbitrary directories when scanning a malicious archive containing
> >>files that have "/../" or "../../" directory sequences in their
> >>filenames.
> >>
> >>...
> >>
> >>Apply patches.
> >>
> >>ViRobot Linux Server 2.0:
> >>http://www.globalhauri.com/html/download/down_unixpatch.html
> >>
> >>
> >
> >This vendor page is titled "ViRobot Unix/Linux Server Security
> >Vulnerability Patch."
> >
> >However, it goes on to describe a buffer overflow problem:
> >
> > 1. Patch for Buffer Over Flow Vulnerability
> > - Vulnerability Type
> > : Buffer Over Flow
> >
> > - Introduction to Patch
> > : Vulnerability Patch for BOF(Buffer Over Flow) via HTTP_COOKIE
> >
> >
> >There is no mention of directory traversal.
> >
> >This inconsistency makes it unclear whether HAURI has specifically
> >fixed the directory traversal issue, and in addition it mentions
> >another potentially more serious issue that has likely been missed by
> >most advisory readers.
> >
> >- Steve
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists