Title: McAfee VirusScan DUNZIP32.dll buffer overflow vulnerability
Criticality: High (3/3)
Affected software: McAfee VirusScan versions 10 Build 10.0.21 and prior
Author: Juha-Matti Laurio juha-matti.laurio [at] netti.fi
Date: 30th March, 2006
Advisory ID: Networksecurity.fi Security Advisory (30-03-2006) (#16)
Location URL: http://www.networksecurity.fi/advisories/mcafee-virusscan.html
CVE reference: CVE-2004-1094
CVSS Severity: 10 (High)
- From the vendor:
"VirusScan - Always-updated protection against PC viruses. Safeguard your hard drive, email, attachments and downloads from known and unknown viruses, mass-mailing worms, Trojans and potentially unwanted programs (PUPs) like spyware."
- Description:
McAfee ViruScan anti-virus software is confirmed as affected to remote type buffer overflow vulnerability.
The vulnerability is caused due to a boundary error in a 3rd-party compression library's (DUNZIP32.dll) old, vulnerable version used when handling packed signature files. InnerMedia DynaZip compression library mentioned is responsible for virus description file unpacking operations. This can be exploited to cause a buffer overflow via a specially crafted signature file.
When a specially crafted signature package containing a file with an overly long filename (a file name or files inside a package) is opened the attacker may be able to execute arbitrary code on user's system (see VU#582498 reference). Opening of signature file is an automatic operation of product's SecurityCenter.
- Detailed description:
Affected DynaZip library examined is version from April, 2005, file version 3.x. According to InnerMedia company versions 5.00.03 and prior are affected.
The following file was copied to C:\Program Files\McAfee.com\Shared directory during an installation process when tested:
File name: dunzip32.dll
Time stamp: 8th April, 2005
File version: 3.0.0.14
Description: DynaZIP-32 Multi-Threading UnZIP DLL
Copyright information: Copyright (c) Inner Media, Inc. 1993-1996, All Rights Reserved.
The following processes use Dunzip32.dll library:
--test results begin--
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
OPEN Request ID: 7160
C:\PROGRA~1\McAfee.com\Shared\mghtml.exe
OPEN Request ID: 1840
--test results end--
Description of mcupdmgr.exe: McAfee SecurityCenter Update Manager v6.x
Description of mghtml.exe: McAfee Security HTML Dialog v4.x
From US-CERT VU#582498:
"Impact:
If a remote attacker can persuade a user to access a specially crafted zip file, the attacker may be able to execute arbitrary code on that user's system possibly with elevated privileges."
- Affected versions:
The vulnerability has been confirmed in version 10 Build 10.0.21, Engine version 4400 in use. Other versions may also be affected.
McAfee SecurityCenter Agent version 6.0.0.16 was used when tested.
The following products use an affected component:
McAfee VirusScan version 10.x
McAfee SecurityCenter version 6.x
- OS:
Microsoft Windows
Tests was done with Microsoft Windows XP Professional SP2 and Microsoft Windows 2000 Professional SP4 fully patched.
- Solution status:
Vendor has issued a patch shipped with immune library version 5.00.06. It can be obtained by downloading an updated product version or using product's SecurityCenter Updates feature.
Non-affected library has the following time stamp: 30th December, 2005.
According to vendor response localized builds has been fixed as well.
Tested non-affected product version: Build 10.0.27, Engine version 4400
Vendor is reportedly in process to publish FAQ (version release) document to the McAfee/Network Associates KnowledgeBase (http://knowledgemap.nai.com/KanisaSupportSite/supportcentral/supportcentral.do?id=m1&language=en_US ).
- Software:
McAfee VirusScan 10.x
Vendor and vendor Home Page:
McAfee, Inc.
www.mcafee.com
Vendor product Web page:
http://us.mcafee.com/root/package.asp?pkgid=100&cid=16269
- Solution:
Download an updated product version or update via product's SecurityCenter.
Workarounds:
No working workarounds available.
Criticality: High (3/3)
- CVE information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2004-1094 on 3rd March, 2006 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org ), which standardizes names for security problems.
The CVSS (Common Vulnerability Scoring System) severity level metric of issue CVE-2004-1094:
10 (High)
- References:
US-CERT VU#582498:
"InnerMedia DynaZip library vulnerable to buffer overflow via long file names"
http://www.kb.cert.org/vuls/id/582498
From the vulnerability note: "Users are encouraged to contact their software vendors if they suspect they are vulnerable."
www.secunia.com/advisories/19451/
www.frsirt.com/english/advisories/2006/1176
www.securityfocus.com/bid/11555
xforce.iss.net/xforce/xfdb/17879
www.securiteam.com/windowsntfocus/5XP010KIAA.html
www.osvdb.org/displayvuln.php?osvdb_id=19906
www.kpn-cert.nl/index.php?page=advisory.view&advisory_id=1517&PHPSESSID=37cc9cc9...abb5
www.cert.dk/perl/publicsystem/PublicSystem.cgi?context=dedzm8jUJs4CWbgYqN5D7FJh....6/OldRk=
www.secwatch.org/advisories/1013551
www.security.nnov.ru/news4087.html
www.security.nnov.ru/Mdocument32.html
www.frsirt.com/bulletins/4531
www.zone-h.org/advisories/read/id=8879
addict3d.org/index.php?page=viewarticle&type=security&ID=5975
www.securityreason.com/securityalert/653
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1094
Related Networksecurity.fi Weblog entry
Credit information:
This vulnerability was researched by Juha-Matti Laurio, Networksecurity.fi.
Timeline:
23-Dec-2005 - Vulnerability researched and confirmed
29-Dec-2005 - Vendor was contacted
30-Dec-2005 - Vendor's reply
30-Dec-2005 - Vendor asks detailed information
30-Dec-2005 - Detailed information delivered to the vendor
04-Jan-2006 - Vendor informs about licensed non-vulnerable library version for the next release
11-Jan-2006 - AVERT Labs informs about started version testing process
02-Mar-2006 - New contact to the vendor
02-Mar-2006 - Vendor's reply, issue was fixed on 24th January, vendor informs about upcoming FAQ release document
02-Mar-2006 - CVE information submission sent to Mitre.org
03-Mar-2006 - Mitre.org assigns CVE
27-Mar-2006 - New contact to the vendor asking the state of FAQ release
30-Mar-2006 - Security companies and several CERT units contacted
30-Mar-2006 - Public disclosure
31-Mar-2006 - Vendor was contacted to ask last affected version, no reply
Revision history:
02-03-2006 1.0: Advisory written
30-03-2006 1.1: Advisory published
30-03-2006 1.2: Updated advisory and added references
31-03-2006 1.3: Updated advisory and added references
01-04-2006 1.4: Updated advisory by adding references
02-04-2006 1.5: Added security advisory references
05-04-2006 1.6: Added security advisory references
05-09-2006 1.7: Updated advisory
Local Finnish time is used.
Best regards,
Juha-Matti Laurio
security researcher
Finland
Copyright © Networksecurity.fi and Juha-Matti Laurio 2006
- To the Main Page
Read more about 58 other security vulnerabilities at
www.networksecurity.fi