SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   F-Prot Antivirus Vendors:   FRISK Software International
F-Prot Antivirus CHM Parsing Flaw Lets Remote Users Deny Service
SecurityTracker Alert ID:  1020507
SecurityTracker URL:  http://securitytracker.com/id/1020507
CVE Reference:   CVE-2008-3244   (Links to External Site)
Updated:  Aug 6 2008
Original Entry Date:  Jul 16 2008
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.4.4
Description:   A vulnerability was reported in F-Prot Antivirus. A remote user can cause denial of service conditions.

A remote user can send a specially crafted CHM file to trigger an out-of-bounds memory access error and cause the target service to crash.

The vendor was notified on January 22, 2008.

Sergio Alvarez of n.runs AG reported this vulnerability.

Impact:   A remote user can cause the target service to crash.
Solution:   The vendor has issued a fixed version (4.4.4).

The vendor's advisory is available at:

http://www.f-prot.com/download/ReleaseNotesWindows.txt

Vendor URL:  f-prot.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] n.runs-SA-2008.002 - F-Prot Out-of-Bound Memory


--===============0417484310==
Content-Type: multipart/signed;
	boundary="PGP_Universal_6C409DDB_56D34A03_2C8653FA_0349859F";
	protocol="application/pgp-signature"; micalg="pgp-sha1"


--PGP_Universal_6C409DDB_56D34A03_2C8653FA_0349859F
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

n.runs AG
http://www.nruns.com/                             security(at)nruns.com
n.runs-SA-2008.002                                          16-Jul-2008
________________________________________________________________________

Vendor:                FRISK (F-Prot), http://www.f-prot.com
Affected Products:     F-Prot Anti-Virus all platforms
Vulnerability:         Out-of-Bound Memory Access DoS (remote) 
Risk:                  HIGH
________________________________________________________________________

Vendor communication:

2008/01/22    initial notification to FRISK
2008/01/22    FRISK Response
2008/01/22    PGP public keys exchange
2008/01/23    n.runs has problems importing FRISK's provided public 
              key, so proceed to search on the key servers and import 
              the available ones and informs FRISK about it
2008/01/23    FRISK replies that the keys on the key server are fine to 
              be used.
2008/01/23    PoC files sent to FRISK
2008/01/26    FRISK acknowledges the PoC files and informs about having
              some problem reproducing them and requests exact version 
              and configuration used to trigger the vulnerability
2008/01/28    FRISK communicates to n.runs that they were able to
              reproduce one of the issues that they had just fixed
              and that the update will be included in the upcoming
              update
2008/01/28    n.runs thanks FRISK for such a quick response, provides 
              the exact version used while bug hunting and informs that
              the issues were found about a year before; the reason of 
              the late report is because it was overseen until now.
2008/01/29    FRISK replies that the version used in the test is quite 
              old (4.3.1 against actual 4.4.3) and that during that 
              time many bugs had been fixed
2008/03/16    n.runs realizes that FRISK has released the update 
              because of a post on 27.Feb.2008 at the following link:
      http://www.wilderssecurity.com/showpost.php?p=1191859&postcount=98
              n.runs decides to not launch the advisory because 
              couldn't find an official post.
2008/07/10    n.runs finds the official announcement: 
              http://www.f-prot.com/download/ReleaseNotesWindows.txt
2008/07/16    n.runs releases this advisory

________________________________________________________________________


Overview:

FRISK Software International, established in 1993, is one of the 
world's leading companies in antivirus research and product 
development. 

FRISK Software produces the hugely popular F-Prot Antivirus product 
range offering unrivalled heuristic detection capabilities. In addition
to this, the F-Prot AVES managed online e-mail security service filters
away the nuisance of spam e-mail as well as viruses, worms and other 
malware that increasingly clog up inboxes and threaten data security. 
By supporting a wide range of platforms FRISK Software protects 
computer networks of all sizes, running on diverse platforms. As a 
result, FRISK Software provides its customers with comprehensive 
computer security solutions.

Description:

A remotely exploitable vulnerability has been found in the files' 
parsing engine.

In detail, the following flaw was determined:

- DoS caused by an Out-of-Bound Memory Access while parsing CHM file's
header: if the nb_dir field (Chunk number of root index chunk) value is
set to 0xffffffff pointers math takes place and ends up in an 
out-of-bound read attempt.


Impact:

This problem can lead to remote denial of service if an attacker 
carefully crafts a file that exploits the aforementioned vulnerability.
The vulnerability is present in FRISK Anti-virus software mentioned 
above, in all platforms supported by the affected products prior to the
engine Version 4.4.4. 

Solution:

The vulnerability was reported on 22.Jan.2008 and the engine 4.4.4 has 
been issued to solve this vulnerability. For detailed information about
the fixes follow the link in References [1] section of this document.

n.runs AG wants to highlight the excellent and fluent communication
with FRISK and its very quick response to validate and fix the issue.
________________________________________________________________________

Credit: 
Bugs found by Sergio Alvarez of n.runs AG. 
________________________________________________________________________

References: 
http://www.f-prot.com/download/ReleaseNotesWindows.txt [1]

This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php
________________________________________________________________________

Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
security@nruns.com for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including 
direct, indirect, incidental, consequential loss of business profits or 
special damages, even if n.runs has been advised of the possibility of 
such damages.


Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.


--PGP_Universal_6C409DDB_56D34A03_2C8653FA_0349859F
Content-Type: application/pgp-signature;
	x-mac-type=70674453;
	name=PGP.sig
Content-Disposition: attachment; filename=PGP.sig

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.1 (Build 2523)

iQIVAwUBSH3lgl5rjmT2uFcEAQKnwg//UAFUBY3IzJ0+r7xQJ10IMakTqLd+HjEr
DgJvI2c3WBAT78vn13/ZFEwdpDYbc8UQQqiGbvbguVlxpvRNpg+FW6PjoENwFe67
YKj4+qwyvENi6wiwbib2yUnYg0AinVUtg9ZqIx6RLuJ5MZ0lPnEkQ7N+KpRrw+GU
RPp15bghx6vHFMDRnR4cQ8L+gISoomchU2dPGY3E3fx3m4Zx8H0ecaL9SR/IY90u
ot045HfDpTGJth/TARwXD1mo0WJSNCMoLL3Th0S9xueLtaAm5Ttt+GiCyEUHO/PB
UBvgYsYY0JaHweWRIUmRA5pZRxJ3SdorZiLO620nr8rFoPKw6ZrKo2JM5BcHGKCM
Ua0U/riRFyAvEmGBJlHwkJz9HPKVuABRHYahyTRS9yML8fSY5GiLlwa5Qh82LnSc
ZZhnKDZzQfKm6gjz6VSlG5CkA6OI8lQuaHolKRaagIoT9jK2UBd+PnB+a8eEjL33
YxIg+bzmplN6PLSDpS+B5CJrIvPDP5CnoyZ7H2K+rJW51+oDw151gduy1mPrsvZm
kacBPw7VqPqpyeaph1pG5T24EvskSioLDoAS9Ini8hi1LgIgXz4zsiD9mVbbFY61
UxT+oVCSqUYowe1mwrFOeGeJB0OgsAllAxohYlgYKH9+/WsE2DTgpCVugpB5jGDk
a3VMkl0bU48=
=wwfb
-----END PGP SIGNATURE-----

--PGP_Universal_6C409DDB_56D34A03_2C8653FA_0349859F--


--===============0417484310==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0417484310==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC