ID OSVDB:36712
Type osvdb
Reporter OSVDB
Modified 2007-05-28T12:33:44
Description
No description provided by the source
References:
Vendor Specific News/Changelog Entry: http://forum.antivir-pe.de/thread.php?threadid=22528
Security Tracker: 1018131
Secunia Advisory ID:25417
Related OSVDB ID: 36710
Related OSVDB ID: 36711
Other Advisory URL: http://www.nruns.com/advisories/%5Bn.runs-SA-2007.010%5D%20-%20Avira%20Antivir%20Antivirus%20LZH%20parsing%20Arbitrary%20Code%20Execution%20Advisory.txt
Other Advisory URL: http://securityreason.com/securityalert/2764
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-05/0400.html
Keyword: n.runs-SA-2007.010
ISS X-Force ID: 34551
FrSIRT Advisory: ADV-2007-1971
CVE-2007-2974
Bugtraq ID: 24187
{"bulletinFamily": "software", "viewCount": 0, "reporter": "OSVDB", "references": [], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://forum.antivir-pe.de/thread.php?threadid=22528\nSecurity Tracker: 1018131\n[Secunia Advisory ID:25417](https://secuniaresearch.flexerasoftware.com/advisories/25417/)\n[Related OSVDB ID: 36710](https://vulners.com/osvdb/OSVDB:36710)\n[Related OSVDB ID: 36711](https://vulners.com/osvdb/OSVDB:36711)\nOther Advisory URL: http://www.nruns.com/advisories/%5Bn.runs-SA-2007.010%5D%20-%20Avira%20Antivir%20Antivirus%20LZH%20parsing%20Arbitrary%20Code%20Execution%20Advisory.txt\nOther Advisory URL: http://securityreason.com/securityalert/2764\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-05/0400.html\nKeyword: n.runs-SA-2007.010 \nISS X-Force ID: 34551\nFrSIRT Advisory: ADV-2007-1971\n[CVE-2007-2974](https://vulners.com/cve/CVE-2007-2974)\nBugtraq ID: 24187\n", "affectedSoftware": [], "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "f7033f61c02c8e9b22dd3331f1fcb075"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "b8b7dfdb0d6a4e9fd5117b34e6943ac7"}, {"key": "href", "hash": "f9e00852e26f41d425219f5f5f3b41e5"}, {"key": "modified", "hash": "6a77056d09702c5313de3e645db2e30f"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "6a77056d09702c5313de3e645db2e30f"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "f4c3d0b1c49a09e180fd8b18f80b3ce9"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "href": "https://vulners.com/osvdb/OSVDB:36712", "modified": "2007-05-28T12:33:44", "objectVersion": "1.2", "enchantments": {"score": {"value": 6.6, "vector": "NONE", "modified": "2017-04-28T13:20:32"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-2974"]}, {"type": "nessus", "idList": ["AVIRA_FILE_VULNS.NASL"]}], "modified": "2017-04-28T13:20:32"}, "vulnersScore": 6.6}, "id": "OSVDB:36712", "title": "Avira Antivir Antivirus LZH Archive Handling Overflow", "hash": "69df2b4705a47a94f6e4848d82004049f06bd2b21c43583f6f7dbcec2eb41c40", "edition": 1, "published": "2007-05-28T12:33:44", "type": "osvdb", "history": [], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvelist": ["CVE-2007-2974"], "lastseen": "2017-04-28T13:20:32"}
{"cve": [{"lastseen": "2019-05-29T18:09:00", "bulletinFamily": "NVD", "description": "Buffer overflow in the file parsing engine in Avira Antivir Antivirus before 7.03.00.09 allows remote attackers to execute arbitrary code via a crafted LZH archive file, resulting from an \"integer cast around.\"", "modified": "2018-10-16T16:46:00", "id": "CVE-2007-2974", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2974", "published": "2007-06-01T01:30:00", "title": "CVE-2007-2974", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-11-01T02:15:00", "bulletinFamily": "scanner", "description": "The remote host is running Avira AntiVir, an antivirus software\napplication.\n\nThe version of AntiVir installed on the remote host is reportedly\nprone to a buffer overflow in its LZH file processing code as well as\ndenial of service vulnerabilities when parsing UPX and TAR files. An\nattacker may be able to exploit these issues to execute arbitrary code\non the remote host, likely with LOCAL SYSTEM privileges, to crash the\nremote antivirus engine, or to cause the CPU to enter an endless loop.", "modified": "2019-11-02T00:00:00", "id": "AVIRA_FILE_VULNS.NASL", "href": "https://www.tenable.com/plugins/nessus/25348", "published": "2007-05-31T00:00:00", "title": "Avira AntiVir File Handling Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25348);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2007-2972\", \"CVE-2007-2973\", \"CVE-2007-2974\");\n script_bugtraq_id(24187, 24239);\n\n script_name(english:\"Avira AntiVir File Handling Vulnerabilities\");\n script_summary(english:\"Checks version of AntiVir\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains an application that is affected by\nmultiple issues.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Avira AntiVir, an antivirus software\napplication.\n\nThe version of AntiVir installed on the remote host is reportedly\nprone to a buffer overflow in its LZH file processing code as well as\ndenial of service vulnerabilities when parsing UPX and TAR files. An\nattacker may be able to exploit these issues to execute arbitrary code\non the remote host, likely with LOCAL SYSTEM privileges, to crash the\nremote antivirus engine, or to cause the CPU to enter an endless loop.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/May/506\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/May/512\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/May/545\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f04e4f51\" );\n script_set_attribute(attribute:\"solution\", value:\"Use AntiVir's Update feature to upgrade to the latest version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/05/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/05/31\");\n\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"audit.inc\");\n\n# Connect to the appropriate share.\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\nname = kb_smb_name();\nport = kb_smb_transport();\n#if (!get_port_state(port)) exit(0);\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n#soc = open_sock_tcp(port);\n#if (!soc) exit(0);\n\n#session_init(socket:soc, hostname:name);\nif(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(0);\n}\n\n\n# Connect to remote registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n exit(0);\n}\n\n\n# Grab installation path and version from the registry.\npaths = make_array();\n\nprod = \"Premium Security Suite\";\nkey = \"SOFTWARE\\Avira\\Premium Security Suite\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"Path\");\n if (!isnull(value))\n {\n path = ereg_replace(pattern:\"^(.+)\\\\$\", replace:\"\\1\", string:value[1]);\n paths[prod] = path;\n }\n\n RegCloseKey (handle:key_h);\n}\n\nprod = \"AntiVir Windows Server\";\nkey = \"SOFTWARE\\H+BEDV\\AVNetNT\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"Path\");\n if (!isnull(value))\n {\n path = ereg_replace(pattern:\"^(.+)\\\\$\", replace:\"\\1\", string:value[1]);\n paths[prod] = path;\n }\n\n RegCloseKey (handle:key_h);\n}\n\nprod = \"AntiVir Windows Workstation\";\nkey = \"SOFTWARE\\H+BEDV\\AntiVir Workstation\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"Path\");\n if (!isnull(value))\n {\n path = ereg_replace(pattern:\"^(.+)\\\\$\", replace:\"\\1\", string:value[1]);\n paths[prod] = path;\n }\n\n RegCloseKey (handle:key_h);\n}\nRegCloseKey(handle:hklm);\n\n\n# If it's installed...\nif (max_index(keys(paths)) > 0)\n{\n foreach prod (keys(paths))\n {\n path = paths[prod];\n\n # Look at the affected files.\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n avpack = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\avpack32.dll\", string:path);\n engine = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\avewin32.dll\", string:path);\n NetUseDel(close:FALSE);\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n exit(0);\n }\n\n ver_avpack = NULL;\n fh = CreateFile(\n file:avpack,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n ver_avpack = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n }\n\n ver_engine = NULL;\n fh = CreateFile(\n file:engine,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n ver_engine = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n }\n\n # Check the version numbers.\n affected = FALSE;\n if (!vuln && !isnull(ver_avpack))\n {\n fix = split(\"7.03.00.09\", sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(ver_avpack); i++)\n if (ver_avpack[i] < fix[i])\n {\n affected = TRUE;\n break;\n }\n else if (ver_avpack[i] > fix[i])\n break;\n }\n if (!affected && !isnull(ver_engine))\n {\n fix = split(\"7.04.00.24\", sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(ver_engine); i++)\n if (ver_engine[i] < fix[i])\n {\n affected = TRUE;\n break;\n }\n else if (ver_engine[i] > fix[i])\n break;\n }\n\n if (affected == TRUE)\n {\n report = string(\n \"Nessus found an affected version of \", prod, \"\\n\",\n \"installed under :\\n\",\n \"\\n\",\n \" \", path\n );\n security_hole(port:port, extra:report);\n break;\n }\n }\n}\n\n\n# Clean up.\nNetUseDel();\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
