Avast! AntiVirus TAR Processing Remote Heap Corruption

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Avast! AntiVirus TAR Processing Remote Heap Corruption
From: Sowhat <smaillist@xxxxxxxxx>
Date: Thu, 6 Dec 2007 15:26:49 +0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=JnD5OhL2pQvE9OZERZuc9IEGnoFOMulJBffg1QkYBjY=; b=ZqTag4P4/LjsKdySkkLiOwgipVyF5L8LGMCYixxP63n0Gaf2O7rIXqfB5C9pWtjLy3AZrQi6ku5LCUlpxHZMTR2oKIZKATIBwJaHpzX1nXveW4pbqAxNSNsTaAA+A3v4srlmBjIE531VqJ2upCtt+WCtSr8wwAp+MGWRLS5NnlU=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Yc6NS6qdkHFhnNvoN/Xc1hTyl45NT9nnchVVJInabSM0fzU2P7DQwIj+AdM1RJKBc0xB58bhTAlXy/sn4XXO++SEAekC16/rMju13O9BrwY3BNHUy0xD23zMZO1guQ1R2kj1IFgScRdEL0/gZ3EZot/7s6JlYlsRwXJp9cYRt/o=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Avast! AntiVirus TAR Processing Remote Heap Corruption


Sowhat of Nevis Labs
http://www.nevisnetworks.com
http://secway.org/advisory/AD20071206.txt

BID: 26702

Vendor:
ALWIL Software


Affected:
Avast! Home/Professional < 4.7.1098
This vulnerability has been confirmed on Avast! Professional 4.7.1043



Details:

There is a vulnerability in Avast! Antivirus, which allows an attacker
to execute arbitrary code if successfully exploited.

While parsing the .TAR file, Avast! Antivirus Library does not properly check
the value of certain field, thus result into a remote heap corruption.

we would be able to trigger a classic "arbitrary 4 bytes overwritten"
condition.

77F52109   8901             MOV DWORD PTR DS:[ECX],EAX
77F5210B   8948 04          MOV DWORD PTR DS:[EAX+4],ECX

The EAX and ECX are indirectly controlled by the attacker in this case,
The EAX and ECX are read from the passed scanned file.

To be able to control EAX/ECX, we can put some other files before the
exploit.TAR,
let the Avast! scan the other files first.

By manipulating the exploit file, we can also trigger another exception

64206096   8B01             MOV EAX,DWORD PTR DS:[ECX]
64206098   6A FF            PUSH -1
6420609A   FF10             CALL DWORD PTR DS:[EAX]

The EAX is controllable.


The vulnerability can be exploited remotely, by sending Email or convince the
victim visit attacker controlled website.


Vendor Response:

2007.11.28      Vendor notified
2007.11.29      Vendor responded
2007.12.05      Vendor released the fixed version, 4.7.1098
2007.12.06      Advisory release


Reference:
1. http://www.avast.com/eng/avast-4-home_pro-revision-history.html
2. http://secway.org/advisory/AD20071116.txt
3. http://groups.google.com/group/vulnhashdb



-- 
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

Prev by Date: Aria-Security.Net: PenPals Login and search page SQL Injection
Next by Date: [security bulletin] HPSBMA02281 SSRT061261 rev.1 - HP OpenView Network Node Manager (OV NNM) Remote Unauthorized Execution of Arbitrary Code
Previous by thread: Aria-Security.Net: PenPals Login and search page SQL Injection
Next by thread: [security bulletin] HPSBMA02281 SSRT061261 rev.1 - HP OpenView Network Node Manager (OV NNM) Remote Unauthorized Execution of Arbitrary Code
Index(es):
- Date
- Thread