SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   ViRobot Vendors:   HAURI Inc.
HAURI ViRobot Input Validation Hole in Processing Compressed Archive Contents Lets Remote Users Write Arbitrary Files
SecurityTracker Alert ID:  1014740
SecurityTracker URL:  http://securitytracker.com/id/1014740
CVE Reference:   CVE-2005-2670   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 19 2005
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): ViRobot Expert 4.0, ViRobot Advanced Server, ViRobot Linux Server 2.0, HAURI LiveCall
Description:   A vulnerability was reported in HAURI ViRobot. A remote user can cause files to be written to arbitrary directories on the target system.

The software does not properly validate filenames in compressed archives before extracting the files into a temporary directory to scan them. A remote user can create an archive (e.g. ACE, ARJ, CAB, LZH, RAR, TAR and ZIP) with a file that has a specially crafted filename containing directory traversal characters ("/../" or "../../"). When the anti-virus software extracts the archive, the file will be written to the location specified by the remote user.

Systems with compressed file scanning enabled are affected.

The vendor was notified on June 30, 2005.

Tan Chew Keong of Secunia Research discovered this vulnerability.

Impact:   A remote user can cause files to be written to arbitrary directories on the target system with the privileges of the anti-virus process.
Solution:   The vendor has issued a fix for ViRobot Linux Server, available at:

http://www.globalhauri.com/html/download/down_unixpatch.html

The report indicates that fixes for ViRobot Expert, ViRobot Advanced Server, and LiveCall are available via online update.

[Editor's note: From the Secunia Advisory, it is not clear if all of the vulnerabilities have been patched or not.]

Vendor URL:  www.globalhauri.com/html/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Secunia Research: HAURI Anti-Virus Compressed

====================================================================== 

                     Secunia Research 19/08/2005

     - HAURI Anti-Virus Compressed Archive Directory Traversal -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

====================================================================== 
1) Affected Software 

ViRobot Expert 4.0 
ViRobot Advanced Server
ViRobot Linux Server 2.0
HAURI LiveCall

Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Moderately critical
Impact: Security Bypass
Where:  Remote

====================================================================== 
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in various HAURI
anti-virus products, which can be exploited by malicious people to
write files to arbitrary directories.

The vulnerability is caused due to unsafe extraction of compressed
archives (e.g. ACE, ARJ, CAB, LZH, RAR, TAR and ZIP) into a temporary
directory before scanning. This can be exploited to write files into
arbitrary directories when scanning a malicious archive containing 
files that have "/../" or "../../" directory sequences in their 
filenames.

Successful exploitation allows writing of files to arbitrary
directories, which can potentially lead to code execution (e.g. by
overwriting certain startup files), but requires that compressed file
scanning is enabled.

====================================================================== 
4) Solution 

Apply patches.

ViRobot Linux Server 2.0:
http://www.globalhauri.com/html/download/down_unixpatch.html 

ViRobot Expert 4.0 / ViRobot Advanced Server / LiveCall:
Updated version available via online update is still vulnerable when 
scanning certain archive types.

Disable compressed file scanning and scan files only after they have
been confirmed not to contain directory traversal sequences in their
filenames and correctly extracted.

====================================================================== 
5) Time Table 

30/06/2005 - Initial vendor notification.
12/07/2005 - Second vendor notification.
14/07/2005 - Vendor response.
08/08/2005 - Received notification that VR Expert and VR Advanced 
             Server has been fixed via online update.
09/08/2005 - Received notification that LiveCall has been fixed via
             online update.
11/08/2005 - Notified vendor that certain archive types are still
             affected.
17/08/2005 - Vendor released patch for VR Linux Server and disclosed
             vulnerability information.
19/08/2005 - Public disclosure.

====================================================================== 
6) Credits 

Discovered by Tan Chew Keong, Secunia Research.

====================================================================== 
7) References

HAURI:
http://www.globalhauri.com/html/download/down_unixpatch.html

====================================================================== 
8) About Secunia 

Secunia collects, validates, assesses, and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia website: 

http://secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 

http://secunia.com/secunia_security_advisories/

====================================================================== 
9) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-24/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC