lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 11 Dec 2007 23:54:37 +0800
From: Sowhat <smaillist@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: TrendMicro AntiVirus UUE Processing Vulnerability

TrendMicro AntiVirus UUE Processing Vulnerability


Sowhat of Nevis Labs
http://www.nevisnetworks.com
http://secway.org/advisory/AD20071211.txt


Vendor:
TrendMicro


Affected:
TrendMicro Antivirus prior to PccScan.dll build 1451
This vulnerability has been confirmed on TrendMicro Antivirus and
Antispyware 20008
(PccScan.dll build 1450).



Details:

There is a vulnerability in TrendMicro Antivirus, which allows an attacker
to escalate to SYSTEM privilege, Denial of service, or potential execute
arbitrary
code (not confirmed yet).

While decoding the .uue file., TrendMicro Antivirus will create a .zip file,

by manipulating the .uue file, we can make the TrendMicro AV generate a .zip
file
which contains a long file name.

Due to the incorrect usage of wcsncpy_s() API while PccScan.dll is trying to
copy
this long file name into a static buffer, the SfCtlCom.exe will crash.

Because SfCtlCom.exe is running under SYSTEM privilege, local privilege is
possible
in some cases, e.g. there is a just-in-time debugger presented.

The remote exploitability has not been confirmed yet.

And also, According to the vendor:
"malformed UUE is not necessary, just a malformed zip file is enough"

So this vulnerability should be called as a ".ZIP processing vulnerability",
not .UUE

The vulnerability can be exploited remotely, by sending Email or convince
the
victim visit attacker controlled website. Or can be exploited locally to
gain the
SYSTEM privilege.


Vendor Response:

2007.11.12    Vendor notified through several email address.
2007.11.13    Auto-Response from the support.
2007.11.13    Get the right person by sending emails to FD
2007.11.23    Patch available
2007.12.05    Patch planned on 5th, Dec
2007.12.06    Patch delayed to 7th, Dec
2007.12.11    Patch released by the vendor
2007.12.11    Advisory released.

Reference:
1. http://esupport.trendmicro.com/support/viewxml.do?ContentID=1036464
2. http://secway.org/advisory/AD20071116.txt
3. http://groups.google.com/group/vulnhashdb



-- 
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ