SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   eTrust Antivirus Vendors:   CA
CA eTrust Antivirus WebScan Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016637
SecurityTracker URL:  http://securitytracker.com/id/1016637
CVE Reference:   CVE-2006-3975, CVE-2006-3976, CVE-2006-3977   (Links to External Site)
Updated:  Aug 7 2006
Original Entry Date:  Aug 4 2006
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): WebScan 1.1.0.1047 and prior versions
Description:   Several vulnerabilities were reported in eTrust Antivirus WebScan. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a buffer overflow in WebScan and execute arbitrary code on the target system. The code will run with the privileges of the target user.

A remote user can also install arbitrary files on the target system.

The vendor was notified on July 17, 2006.

Matt Murphy of the TippingPoint Security Research Team discovered this vulnerability.

The original advisories are available at:

http://www.tippingpoint.com/security/advisories/TSRT-06-05.html
http://www.tippingpoint.com/security/advisories/TSRT-06-06.html

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can also install arbitrary files on the target user's system.

Solution:   The vendor has issued a fixed version (1.1.0.1048), available at:

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Vendor URL:  www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34509 (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  CAID 34509 - CA eTrust Antivirus WebScan vulnerabilities

Title: CA eTrust Antivirus WebScan vulnerabilities

CA Vulnerability ID (CAID): 34509

CA Advisory Date: 2006-08-03

Discovered By: 
Matt Murphy of the TippingPoint Security Research Team

Impact: Remote attacker can execute arbitrary code.

Summary: Ca eTrust Antivirus WebScan is a free, web-based virus 
scanner that is located at 
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx.  CA eTrust 
Antivirus WebScan v1.1.0.1047 and earlier contains vulnerabilities 
that can allow a remote attacker to execute arbitrary code or 
compromise the integrity of the WebScan software.  The first 
vulnerability is due to a failure to properly validate parameters.  
The second vulnerability is due to a buffer overflow in WebScan.  
Matt Murphy has identified multiple attack vectors that exploit 
these vulnerabilities.

Mitigating Factors: Exploitation of these vulnerabilities is 
non-trivial.

Severity: CA has given this vulnerability a Medium risk rating.

Affected Products:
CA eTrust Antivirus WebScan v1.1.0.1047 and earlier

Affected platforms:
Internet Explorer 4.0 or above on Microsoft Windows

Status and Recommendation: 
CA eTrust Antivirus WebScan v1.1.0.1048 addresses all of the 
vulnerabilities.
Visit http://www3.ca.com/securityadvisor/virusinfo/scan.aspx and 
allow Internet Explorer to install the new webscan.cab software.  
Note that the software is digitally signed by CA.
Alternatively, you can simply remove an older, vulnerable object
by using one of these two methods:
a)  Start Internet Explorer, and then select "Tools" > "Internet 
Options" > "General" tab.  On the "General" tab, click on the 
"Settings" button in the "Temporary Internet Files" section.  On 
the "Settings" dialog window, click on the button labeled "View 
Objects" and then right-click on the "WScanCtl Class" object and 
select the "Remove" option.
b)  Open an Explorer window and browse to 
"<system>\downloaded program files".  Then right-click on the 
"WScanCtl Class" object and select the "Remove" option.

Determining if you are affected:
Browse to the C:\WINDOWS\Downloaded Program Files or 
C:\WINNT\Downloaded Program Files folder and check the version 
number of the "WScanCtl Class" object.  If the version number is 
less than 1,1,0,1048, you need to update the ActiveX control.
Another way to determine if you are affected is to Start Internet 
Explorer, and then select "Tools" > "Internet Options" > "General" 
tab.  On the "General" tab, click on the "Settings" button in the 
"Temporary Internet Files" section.  On the "Settings" dialog 
window, click on the button labeled "View Objects" and then check 
the version of the "WScanCtl Class" object.  If the version number 
is less than 1,1,0,1048, you need to update the ActiveX control.

Note that v1.1.0.1045 is the last version that was widely 
distributed.

References (URLs may wrap): 
CA SupportConnect:
http://supportconnect.ca.com/
CAID: 34509
CAID Advisory link: 
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34509
ZDI, founded by 3Com and TippingPoint: 
http://www.zerodayinitiative.com/
CVE Reference: Pending
http://cve.mitre.org/
OSVDB Reference: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA 
Technical Support at http://supportconnect.ca.com.

For technical questions or comments related to this advisory,
please send email to vuln@ca.com, or contact me directly.

If you discover a vulnerability in CA products, please report
your findings to vuln@ca.com, or utilize our "Submit a 
Vulnerability" form.
URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx


Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research


CA, One Computer Associates Plaza. Islandia, NY 11749
	
Contact http://www3.ca.com/contact/
Legal Notice http://www3.ca.com/legal/
Privacy Policy http://www3.ca.com/privacy/
Copyright C 2006 CA. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRNNxlnklkd/ilBmFEQJ3hQCfRiYEhSAg4FZOyxcjFaebiLT+OQgAoIpf
tmJq7klc8ZgJSDAwsGGL/r9r
=+twh
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC