Search...

Avira Antivir Antivirus LZH Archive Handling Overflow

2007-05-28T12:33:44

ID OSVDB:36712
Type osvdb
Reporter OSVDB
Modified 2007-05-28T12:33:44

Description

No description provided by the source

References:

Vendor Specific News/Changelog Entry: http://forum.antivir-pe.de/thread.php?threadid=22528 Security Tracker: 1018131 Secunia Advisory ID:25417 Related OSVDB ID: 36710 Related OSVDB ID: 36711 Other Advisory URL: http://www.nruns.com/advisories/%5Bn.runs-SA-2007.010%5D%20-%20Avira%20Antivir%20Antivirus%20LZH%20parsing%20Arbitrary%20Code%20Execution%20Advisory.txt Other Advisory URL: http://securityreason.com/securityalert/2764 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-05/0400.html Keyword: n.runs-SA-2007.010 ISS X-Force ID: 34551 FrSIRT Advisory: ADV-2007-1971 CVE-2007-2974 Bugtraq ID: 24187

JSON Vulners Source

Initial Source

{"bulletinFamily": "software", "viewCount": 0, "reporter": "OSVDB", "references": [], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://forum.antivir-pe.de/thread.php?threadid=22528\nSecurity Tracker: 1018131\n[Secunia Advisory ID:25417](https://secuniaresearch.flexerasoftware.com/advisories/25417/)\n[Related OSVDB ID: 36710](https://vulners.com/osvdb/OSVDB:36710)\n[Related OSVDB ID: 36711](https://vulners.com/osvdb/OSVDB:36711)\nOther Advisory URL: http://www.nruns.com/advisories/%5Bn.runs-SA-2007.010%5D%20-%20Avira%20Antivir%20Antivirus%20LZH%20parsing%20Arbitrary%20Code%20Execution%20Advisory.txt\nOther Advisory URL: http://securityreason.com/securityalert/2764\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-05/0400.html\nKeyword: n.runs-SA-2007.010 \nISS X-Force ID: 34551\nFrSIRT Advisory: ADV-2007-1971\n[CVE-2007-2974](https://vulners.com/cve/CVE-2007-2974)\nBugtraq ID: 24187\n", "affectedSoftware": [], "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "f7033f61c02c8e9b22dd3331f1fcb075"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "b8b7dfdb0d6a4e9fd5117b34e6943ac7"}, {"key": "href", "hash": "f9e00852e26f41d425219f5f5f3b41e5"}, {"key": "modified", "hash": "6a77056d09702c5313de3e645db2e30f"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "6a77056d09702c5313de3e645db2e30f"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "f4c3d0b1c49a09e180fd8b18f80b3ce9"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "href": "https://vulners.com/osvdb/OSVDB:36712", "modified": "2007-05-28T12:33:44", "objectVersion": "1.2", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-2974"]}, {"type": "nessus", "idList": ["AVIRA_FILE_VULNS.NASL"]}], "modified": "2017-04-28T13:20:32"}, "vulnersScore": 7.5}, "id": "OSVDB:36712", "title": "Avira Antivir Antivirus LZH Archive Handling Overflow", "hash": "69df2b4705a47a94f6e4848d82004049f06bd2b21c43583f6f7dbcec2eb41c40", "edition": 1, "published": "2007-05-28T12:33:44", "type": "osvdb", "history": [], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvelist": ["CVE-2007-2974"], "lastseen": "2017-04-28T13:20:32"}

{"cve": [{"lastseen": "2018-10-18T15:06:09", "bulletinFamily": "NVD", "description": "Buffer overflow in the file parsing engine in Avira Antivir Antivirus before 7.03.00.09 allows remote attackers to execute arbitrary code via a crafted LZH archive file, resulting from an \"integer cast around.\"", "modified": "2018-10-16T12:46:51", "published": "2007-05-31T21:30:00", "id": "CVE-2007-2974", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2974", "title": "CVE-2007-2974", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:09:54", "bulletinFamily": "scanner", "description": "The remote host is running Avira AntiVir, an antivirus software application.\n\nThe version of AntiVir installed on the remote host is reportedly prone to a buffer overflow in its LZH file processing code as well as denial of service vulnerabilities when parsing UPX and TAR files. An attacker may be able to exploit these issues to execute arbitrary code on the remote host, likely with LOCAL SYSTEM privileges, to crash the remote antivirus engine, or to cause the CPU to enter an endless loop.", "modified": "2018-11-15T00:00:00", "id": "AVIRA_FILE_VULNS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=25348", "published": "2007-05-31T00:00:00", "title": "Avira AntiVir File Handling Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25348);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2007-2972\", \"CVE-2007-2973\", \"CVE-2007-2974\");\n script_bugtraq_id(24187, 24239);\n\n script_name(english:\"Avira AntiVir File Handling Vulnerabilities\");\n script_summary(english:\"Checks version of AntiVir\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains an application that is affected by\nmultiple issues.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Avira AntiVir, an antivirus software\napplication.\n\nThe version of AntiVir installed on the remote host is reportedly\nprone to a buffer overflow in its LZH file processing code as well as\ndenial of service vulnerabilities when parsing UPX and TAR files. An\nattacker may be able to exploit these issues to execute arbitrary code\non the remote host, likely with LOCAL SYSTEM privileges, to crash the\nremote antivirus engine, or to cause the CPU to enter an endless loop.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/May/506\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/May/512\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/May/545\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f04e4f51\" );\n script_set_attribute(attribute:\"solution\", value:\"Use AntiVir's Update feature to upgrade to the latest version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/05/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/05/31\");\n\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"audit.inc\");\n\n# Connect to the appropriate share.\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\nname = kb_smb_name();\nport = kb_smb_transport();\n#if (!get_port_state(port)) exit(0);\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n#soc = open_sock_tcp(port);\n#if (!soc) exit(0);\n\n#session_init(socket:soc, hostname:name);\nif(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(0);\n}\n\n\n# Connect to remote registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n exit(0);\n}\n\n\n# Grab installation path and version from the registry.\npaths = make_array();\n\nprod = \"Premium Security Suite\";\nkey = \"SOFTWARE\\Avira\\Premium Security Suite\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"Path\");\n if (!isnull(value))\n {\n path = ereg_replace(pattern:\"^(.+)\\\\$\", replace:\"\\1\", string:value[1]);\n paths[prod] = path;\n }\n\n RegCloseKey (handle:key_h);\n}\n\nprod = \"AntiVir Windows Server\";\nkey = \"SOFTWARE\\H+BEDV\\AVNetNT\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"Path\");\n if (!isnull(value))\n {\n path = ereg_replace(pattern:\"^(.+)\\\\$\", replace:\"\\1\", string:value[1]);\n paths[prod] = path;\n }\n\n RegCloseKey (handle:key_h);\n}\n\nprod = \"AntiVir Windows Workstation\";\nkey = \"SOFTWARE\\H+BEDV\\AntiVir Workstation\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"Path\");\n if (!isnull(value))\n {\n path = ereg_replace(pattern:\"^(.+)\\\\$\", replace:\"\\1\", string:value[1]);\n paths[prod] = path;\n }\n\n RegCloseKey (handle:key_h);\n}\nRegCloseKey(handle:hklm);\n\n\n# If it's installed...\nif (max_index(keys(paths)) > 0)\n{\n foreach prod (keys(paths))\n {\n path = paths[prod];\n\n # Look at the affected files.\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n avpack = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\avpack32.dll\", string:path);\n engine = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\avewin32.dll\", string:path);\n NetUseDel(close:FALSE);\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n exit(0);\n }\n\n ver_avpack = NULL;\n fh = CreateFile(\n file:avpack,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n ver_avpack = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n }\n\n ver_engine = NULL;\n fh = CreateFile(\n file:engine,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n ver_engine = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n }\n\n # Check the version numbers.\n affected = FALSE;\n if (!vuln && !isnull(ver_avpack))\n {\n fix = split(\"7.03.00.09\", sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(ver_avpack); i++)\n if (ver_avpack[i] < fix[i])\n {\n affected = TRUE;\n break;\n }\n else if (ver_avpack[i] > fix[i])\n break;\n }\n if (!affected && !isnull(ver_engine))\n {\n fix = split(\"7.04.00.24\", sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(ver_engine); i++)\n if (ver_engine[i] < fix[i])\n {\n affected = TRUE;\n break;\n }\n else if (ver_engine[i] > fix[i])\n break;\n }\n\n if (affected == TRUE)\n {\n report = string(\n \"Nessus found an affected version of \", prod, \"\\n\",\n \"installed under :\\n\",\n \"\\n\",\n \" \", path\n );\n security_hole(port:port, extra:report);\n break;\n }\n }\n}\n\n\n# Clean up.\nNetUseDel();\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}