avast! antivirus Directory Traversal and Buffer Overflow in UNACEV2.DLL Lets Remote Users Write Files and Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1014544 |
|
SecurityTracker URL: http://securitytracker.com/id/1014544
|
|
CVE Reference:
CVE-2005-2384, CVE-2005-2385
(Links to External Site)
|
Updated: Jul 6 2008
|
Original Entry Date: Jul 21 2005
|
Impact:
Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): Home/Professional Edition prior to version 4.6.691, Server Edition prior to version 4.6.489, Managed Client prior to version 4.6.394
|
Description:
Some vulnerabilities were reported in avast! antivirus in the processing of ACE archives. A remote user can write files on the target system. A remote user can execute arbitrary code on the target system.
If ACE archive scanning is enabled, a remote user can create a specially crafted ACE archive that, when processed by the target user, will write files to arbitrary directories or trigger a buffer overflow and execute arbitrary code.
The 'UNACEV2.DLL' library does not properly validate filenames when extracting archives to scan them. A file with a filename containing directory traversal characters ('/../') or an absolute path may be written to an arbitrary location on the target system.
The library also contains a buffer overflow. A filename longer than 290 bytes can trigger the overflow.
Tan Chew Keong of Secunia Research discovered this vulnerability.
|
Impact:
A remote user can write files to arbitrary directories on the target system.
A remote user can execute arbitrary code on the target system.
|
Solution:
The vendor has issued fixed versions (Home/Professional Edition version 4.6.691, Server Edition version 4.6.489, Managed Client version 4.6.394).
|
Vendor URL: www.avast.com/ (Links to External Site)
|
Cause:
Boundary error, Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 21 Jul 2005 13:13:38 -0400
Subject: http://secunia.com/secunia_research/2005-20/advisory/
|
======================================================================
Secunia Research 21/07/2005
- avast! Antivirus ACE File Handling Two Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Credits..............................................................5
References...........................................................6
About Secunia........................................................7
Verification.........................................................8
======================================================================
1) Affected Software
avast! 4 Home/Professional Edition Version 4.6.665
avast! Server Edition Version 4.6.460
The vendor has reported that avast! Managed Client is also affected.
Other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Manipulation of data
Where: From remote
======================================================================
3) Description of Vulnerability
Secunia Research has discovered two vulnerabilities in avast!, which
can be exploited by malicious people to compromise a vulnerable
system.
1) An input validation error in a 3rd-party compression library
(UNACEV2.DLL) when extracting ACE archives for scanning can be
exploited to write files to arbitrary directories when scanning a
malicious archive containing a file with the "/../" directory
traversal sequence or an absolute path in its filename.
2) A boundary error in UNACEV2.DLL can cause a stack-based buffer
overflow when scanning a malicious ACE archive containing a file that has
a filename of more than 290 bytes.
Successful exploitation allows execution of arbitrary code and writing
of files to arbitrary directories, but requires that ACE archive
scanning is enabled.
======================================================================
4) Solution
Update to a fixed version.
Home/Professional Edition:
Fixed in version 4.6.691.
Server Edition:
Fixed in version 4.6.489.
Managed Client:
Fixed in version 4.6.394.
======================================================================
5) Credits
Discovered by Tan Chew Keong, Secunia Research.
======================================================================
6) References
http://www.avast.com/eng/av4_revision_history.html
http://www.avast.com/eng/avast_server_edition.html
http://www.avast.com/eng/257.html
======================================================================
7) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia web site:
http://secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
8) Verification
Please verify this advisory by visiting the Secunia web site:
http://secunia.com/secunia_research/2005-20/advisory/
Complete list of vulnerability reports released by Secunia Research:
http://secunia.com/secunia_research/
=====================================================================
|
|
