Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

Re: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow
From: "Joey Mengele" <joey.mengele () hushmail com>
Date: Wed, 15 Aug 2007 10:39:07 -0400
Where does security come into play here? This is a local crash in a 
non setuid binary. I would like to hear your remote exploitation 
scenario. Or perhaps your local privilege escalation scenario?

J

P.S. We all know this advisory is bullshit, you should have sold it 
to WabiSabiLabi LOLOLOL

On Wed, 15 Aug 2007 08:56:54 -0400 Sebastian Wolfgarten 
<sebastian () wolfgarten com> wrote:

I - TITLE

Security advisory: McAfee Virus Scan for Linux and Unix v5.10.0 
Local
Buffer Overflow

II - SUMMARY

Description: Local buffer overflow vulnerability in McAfee Virus 
Scan
for Linux and Unix allows arbitrary code execution

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com)

Date: August 15th, 2007

Severity: Low-Medium

References: http://www.devtarget.org/mcafee-advisory-08-2007.txt

III - OVERVIEW

McAfee Virus Scan for Linux and Unix is a command-line version of 
the
popular McAfee anti-virus scanner running on the Linux operating 
system
as well as on other Unices (e.g. AIX, Solaris, HP-UX etc.). It was
discovered that the product is prone to a classic buffer overflow
vulnerability when attempting to scan files or directories with a
particularly long name. This vulnerability results in the local
execution of arbitrary code with the privileges of the user 
running the
scanner, privilege escalation is by default not possible. Remote
exploitation appears to be infeasible due to file length 
limitations in
popular file systems.

IV - DETAILS

The overflow occurs when the product tries to scan a file or 
directory
with a name that is longer than a certain size (approx. 4124+ 
bytes).
For example on a Debian Linux 3.1 test system, it takes 4124+4 
bytes to
successfully overwrite the EIP register and thus execute arbitrary 
code:

# /usr/local/uvscan/uvscan --version
Virus Scan for Linux v5.10.0
Copyright (c) 1992-2006 McAfee, Inc. All rights reserved.
(408) 988-3832  EVALUATION COPY - May 26 2006

Scan engine v5.1.00 for Linux.
Virus data file v4777 created Jun 05 2006
Scanning for 194376 viruses, trojans and variants.

# gdb /usr/local/uvscan/uvscan
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, 
and you
are welcome to change it and/or distribute copies of it under 
certain
conditions. Type "show copying" to see the conditions. There is
absolutely no warranty for GDB. Type "show warranty" for details. 
This
GDB was configured as "i386-linux"...(no debugging symbols found)
Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run `perl -e 'print "A"x4124 . "B"x4'`
Starting program: /usr/local/uvscan/uvscan `perl -e 'print 
"A"x4124 .
"B"x4'`
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 1080238208 (LWP 2461)]
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1080238208 (LWP 2461)]
0x42424242 in ?? ()
(gdb) info registers
eax            0x1      1
ecx            0x8068430        134644784
edx            0x1      1
ebx            0x41414141       1094795585
esp            0xbfffdc40       0xbfffdc40
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x42424242       0x42424242
eflags         0x282    642
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

V - EXPLOIT CODE

An exploit for this vulnerability has been developed but will not
released to the general public at this time.

VI - WORKAROUND/FIX

To address this problem, the vendor has released McAfee VirusScan
Command Line Scanner for Linux and Unix version 5.20. Thus all 
users of
the product are asked to test and install this patch as soon as
possible. McAfee has also published a dedicated security bulletin 
that
covers the problem (see
https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=61
3576&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=613
576).


VII - DISCLOSURE TIMELINE

18. December 2006 - Notified security () mcafee com
19. December 2006 - Vendor responded that vulnerability is being
investigated
19. December to 15. August 2007 - Weekly vendor report on the 
progress
of the development of the patch
01. August 2007 - Release of patch
15. August 2007 - Public disclosure


--
Click to become a master chef, own a restaurant and make millions.
http://tagline.hushmail.com/fc/Ioyw6h4eAFZexjoyRjzeiNugNCYHByYgDcZbE142fg5zU8vki64fmI/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]