Computer Associates Vet Antivirus Library Remote Heap Overflow

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, security@xxxxxxxxxx
Subject: Computer Associates Vet Antivirus Library Remote Heap Overflow
From: list@xxxxxxxxxx
Date: Mon, 23 May 2005 14:30:45 +0000
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Date
May 23, 2005

Vulnerability
Computer Associates Vet library provides antivirus scan engine capabilities. 
Vet scan engines allow products to analyze various streams for malware. Vet is 
vulnerable to an integer wrap during the analysis of an OLE stream. The integer 
wrap causes an arbitrary heap overflow with no character restrictions allowing 
remote attackers control of the system(s) Vet is protecting.

Specifically, within decompressed VBA directories project name records have a 
32 bit length value which is incremented for a null byte. It is then used as an 
allocation length. Given a project name length of -1 Vet increments it and 
calls new(0), which allocates a small chunk. The small chunk is used for the 
destination of a copy with a negative length. The negative length is discarded 
for an attacker controlled length below 4096 before the copy.

Impact
Successful exploitation of protected systems allows attackers unauthorized 
control of data and privileges. It also provides leverage for further network 
compromise. This vulnerability can be exploited remotely through common 
protocols, such as SMTP, FTP, SMB, etc. It can be triggered without 
authentication or user interaction and allows multiple exploitation attempts. 
Vet implementations are likely vulnerable in their default configuration.

Affected Products
CA InoculateIT 6.0 (all platforms including Notes/Exchange
CA eTrust Antivirus r6.0 all platforms including Notes/Exchange
CA eTrust Antivirus r7.0 all platforms including Notes/Exchange
CA eTrust Antivirus r7.1 all platforms including Notes/Exchange
CA eTrust Antivirus for the Gateway r7.0 all modules and platforms
CA eTrust Antivirus for the Gateway r7.1 all modules and platforms
CA eTrust Secure Content Manager all releases
CA eTrust Intrusion Detection all releases
CA BrightStor ARCserve Backup (BAB) r11.1 Windows
CA Vet Antivirus
Zonelabs ZoneAlarm Security Suite
Zonelabs ZoneAlarm Antivirus

Note: There are also several other vendors, including large ISP’s that OEM the 
Vet library. Refer to vendor for version specifics.

Credit
This vulnerability was discovered and researched by Alex Wheeler.

Contact
security@xxxxxxxxxx

Full Advisory
http://www.rem0te.com/public/images/vet.pdf

Prev by Date: [SECURITYREASON.COM] PostNuke SQL Injection 0.750=>x
Next by Date: SQL injections in PortailPHP
Previous by thread: [SECURITYREASON.COM] PostNuke SQL Injection 0.750=>x
Next by thread: SQL injections in PortailPHP
Index(es):
- Date
- Thread