mailing list archives
Computer Associates Vet Antivirus Library Remote Heap Overflow
From: list () rem0te com
Date: Mon, 23 May 2005 14:30:45 +0000
May 23, 2005
Computer Associates Vet library provides antivirus scan engine capabilities. Vet scan engines allow products to analyze
various streams for malware. Vet is vulnerable to an integer wrap during the analysis of an OLE stream. The integer
wrap causes an arbitrary heap overflow with no character restrictions allowing remote attackers control of the
system(s) Vet is protecting.
Specifically, within decompressed VBA directories project name records have a 32 bit length value which is incremented
for a null byte. It is then used as an allocation length. Given a project name length of -1 Vet increments it and calls
new(0), which allocates a small chunk. The small chunk is used for the destination of a copy with a negative length.
The negative length is discarded for an attacker controlled length below 4096 before the copy.
Successful exploitation of protected systems allows attackers unauthorized control of data and privileges. It also
provides leverage for further network compromise. This vulnerability can be exploited remotely through common
protocols, such as SMTP, FTP, SMB, etc. It can be triggered without authentication or user interaction and allows
multiple exploitation attempts. Vet implementations are likely vulnerable in their default configuration.
CA InoculateIT 6.0 (all platforms including Notes/Exchange
CA eTrust Antivirus r6.0 all platforms including Notes/Exchange
CA eTrust Antivirus r7.0 all platforms including Notes/Exchange
CA eTrust Antivirus r7.1 all platforms including Notes/Exchange
CA eTrust Antivirus for the Gateway r7.0 all modules and platforms
CA eTrust Antivirus for the Gateway r7.1 all modules and platforms
CA eTrust Secure Content Manager all releases
CA eTrust Intrusion Detection all releases
CA BrightStor ARCserve Backup (BAB) r11.1 Windows
CA Vet Antivirus
Zonelabs ZoneAlarm Security Suite
Zonelabs ZoneAlarm Antivirus
Note: There are also several other vendors, including large ISP’s that OEM the Vet library. Refer to vendor for version
This vulnerability was discovered and researched by Alex Wheeler.
security () rem0te com
- Computer Associates Vet Antivirus Library Remote Heap Overflow list (May 23)