[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d65cd4390712110754v28bb42bdrf7b6c42e7158e359@mail.gmail.com>
Date: Tue, 11 Dec 2007 23:54:37 +0800
From: Sowhat <smaillist@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: TrendMicro AntiVirus UUE Processing Vulnerability
TrendMicro AntiVirus UUE Processing Vulnerability
Sowhat of Nevis Labs
http://www.nevisnetworks.com
http://secway.org/advisory/AD20071211.txt
Vendor:
TrendMicro
Affected:
TrendMicro Antivirus prior to PccScan.dll build 1451
This vulnerability has been confirmed on TrendMicro Antivirus and
Antispyware 20008
(PccScan.dll build 1450).
Details:
There is a vulnerability in TrendMicro Antivirus, which allows an attacker
to escalate to SYSTEM privilege, Denial of service, or potential execute
arbitrary
code (not confirmed yet).
While decoding the .uue file., TrendMicro Antivirus will create a .zip file,
by manipulating the .uue file, we can make the TrendMicro AV generate a .zip
file
which contains a long file name.
Due to the incorrect usage of wcsncpy_s() API while PccScan.dll is trying to
copy
this long file name into a static buffer, the SfCtlCom.exe will crash.
Because SfCtlCom.exe is running under SYSTEM privilege, local privilege is
possible
in some cases, e.g. there is a just-in-time debugger presented.
The remote exploitability has not been confirmed yet.
And also, According to the vendor:
"malformed UUE is not necessary, just a malformed zip file is enough"
So this vulnerability should be called as a ".ZIP processing vulnerability",
not .UUE
The vulnerability can be exploited remotely, by sending Email or convince
the
victim visit attacker controlled website. Or can be exploited locally to
gain the
SYSTEM privilege.
Vendor Response:
2007.11.12 Vendor notified through several email address.
2007.11.13 Auto-Response from the support.
2007.11.13 Get the right person by sending emails to FD
2007.11.23 Patch available
2007.12.05 Patch planned on 5th, Dec
2007.12.06 Patch delayed to 7th, Dec
2007.12.11 Patch released by the vendor
2007.12.11 Advisory released.
Reference:
1. http://esupport.trendmicro.com/support/viewxml.do?ContentID=1036464
2. http://secway.org/advisory/AD20071116.txt
3. http://groups.google.com/group/vulnhashdb
--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists