what you don't know can hurt you

AD20071206.txt

AD20071206.txt
Posted Dec 7, 2007
Authored by Sowhat | Site nevisnetworks.com

Avast! Home/Professional versions below 4.7.1098 suffer from a remote heap corruption vulnerablity when processing tar files.

tags | advisory, remote
MD5 | d8ae0cd83f95804e538540b842699117

AD20071206.txt

Change Mirror Download
Avast! AntiVirus TAR Processing Remote Heap Corruption


Sowhat of Nevis Labs
http://www.nevisnetworks.com
http://secway.org/advisory/AD20071206.txt

BID: 26702

Vendor:
ALWIL Software


Affected:
Avast! Home/Professional < 4.7.1098
This vulnerability has been confirmed on Avast! Professional 4.7.1043



Details:

There is a vulnerability in Avast! Antivirus, which allows an attacker
to execute arbitrary code if successfully exploited.

While parsing the .TAR file, Avast! Antivirus Library does not properly check
the value of certain field, thus result into a remote heap corruption.

we would be able to trigger a classic "arbitrary 4 bytes overwritten"
condition.

77F52109 8901 MOV DWORD PTR DS:[ECX],EAX
77F5210B 8948 04 MOV DWORD PTR DS:[EAX+4],ECX

The EAX and ECX are indirectly controlled by the attacker in this case,
The EAX and ECX are read from the passed scanned file.

To be able to control EAX/ECX, we can put some other files before the
exploit.TAR,
let the Avast! scan the other files first.

By manipulating the exploit file, we can also trigger another exception

64206096 8B01 MOV EAX,DWORD PTR DS:[ECX]
64206098 6A FF PUSH -1
6420609A FF10 CALL DWORD PTR DS:[EAX]

The EAX is controllable.


The vulnerability can be exploited remotely, by sending Email or convince the
victim visit attacker controlled website.


Vendor Response:

2007.11.28 Vendor notified
2007.11.29 Vendor responded
2007.12.05 Vendor released the fixed version, 4.7.1098
2007.12.06 Advisory release


Reference:
1. http://www.avast.com/eng/avast-4-home_pro-revision-history.html
2. http://secway.org/advisory/AD20071116.txt
3. http://groups.google.com/group/vulnhashdb



--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    2 Files
  • 2
    Mar 2nd
    18 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    12 Files
  • 5
    Mar 5th
    19 Files
  • 6
    Mar 6th
    8 Files
  • 7
    Mar 7th
    1 Files
  • 8
    Mar 8th
    1 Files
  • 9
    Mar 9th
    11 Files
  • 10
    Mar 10th
    15 Files
  • 11
    Mar 11th
    9 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    13 Files
  • 14
    Mar 14th
    10 Files
  • 15
    Mar 15th
    13 Files
  • 16
    Mar 16th
    27 Files
  • 17
    Mar 17th
    15 Files
  • 18
    Mar 18th
    23 Files
  • 19
    Mar 19th
    25 Files
  • 20
    Mar 20th
    10 Files
  • 21
    Mar 21st
    6 Files
  • 22
    Mar 22nd
    1 Files
  • 23
    Mar 23rd
    22 Files
  • 24
    Mar 24th
    15 Files
  • 25
    Mar 25th
    22 Files
  • 26
    Mar 26th
    20 Files
  • 27
    Mar 27th
    15 Files
  • 28
    Mar 28th
    10 Files
  • 29
    Mar 29th
    1 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close