2007-07-20 - n.runs-SA-2007.016 - NOD32 Antivirus CAB parsing Arbitrary Code Execution Advisory

2007-07-20 Thread security 
n.runs AG  
http://www.nruns.com/ security(at)nruns.com
n.runs-SA-2007.016   20-Jul-2007


Vendor:ESET, http://eset.com
Affected Products:  ESET NOD32 Antivirus
Vulnerability: Arbitrary Code Execution (remote) 
Risk:   HIGH



Vendor communication:

  2007/05/07Initial notification to ESET 
  2007/05/07ESET Response
  2007/05/07PoC files sent to ESET
  2007/05/10ESET validate the vulnerability
  2007/05/24ESET made available the updates


Overview:
 
Founded in 1992, ESET is a global provider of security software for enterprises 
and consumers. ESET’s award-winning, antivirus software system, NOD32, provides 
real-time protection from known and unknown viruses, spyware, rootkits and 
other malware. NOD32 offers the smallest, fastest and most advanced protection 
available, with more Virus Bulletin 100% Awards than any other antivirus 
product. ESET was named to Deloitte’s Technology Fast 500 five years running, 
and has an extensive partner network, including corporations like Canon, Dell 
and Microsoft. ESET has offices in Bratislava, SK; Bristol, U.K.; Buenos Aires, 
AR; Prague, CZ; San Diego, USA; and is represented worldwide in more than 100 
countries. 
The broad product platform protects Windows, Linux, Novell and MS DOS machines.

Description:

A remotely exploitable vulnerability has been found in the file parsing engine.

In detail, the following flaw was determined:

- Heap Corruption through Race Condition in .CAB file parsing

Impact:

This problem can lead to remote arbitrary code execution if an attacker 
carefully crafts a file that exploits the aforementioned vulnerability. The 
vulnerability is present in NOD32 Antivirus software versions prior to the 
update v.2.2289.

Solution:

The vulnerability was reported on May 07 and an update has been issued on May 
24 to solve this vulnerability through the regular update mechanism.



Credit: 
Bugs found by Sergio Alvarez of n.runs AG. 


References: 
http://www.eset.com/joomla/index.php?option=com_contenttask=viewid=3469Itemid=26

This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php
http://www.nruns.com/parsing-engines-advisories.php


Unaltered electronic reproduction of this advisory is permitted. For all other 
reproduction or publication, in printing or otherwise, contact [EMAIL 
PROTECTED] for permission. Use of the advisory constitutes acceptance for use 
in an as is condition. All warranties are excluded. In no event shall n.runs 
be liable for any damages whatsoever including direct, indirect, incidental, 
consequential, loss of business profits or special damages, even if n.runs has 
been advised of the possibility of such damages. 

Copyright 2007 n.runs AG. All rights reserved. Terms of apply.

NOD32 Antivirus CAB parsing Arbitrary Code Execution Advisory

2006-12-21 Thread security 
n.runs AG  
http://www.nruns.com/  security at nruns.com
n.runs-SA-2006.005   21-Dec-2006


Vendor: ESET, http://eset.com
Affected Products:  ESET NOD32 Antivirus
Vulnerability:  Arbitrary Code Execution (remote) 
Risk: HIGH



Vendor communication:

  2006/08/24initial notification of ESET 
  2006/08/28ESET Response
  2006/08/29PGP keys exchange
  2006/08/29PoC files sent to ESET
  2006/09/06ESET initial feedback.
  2006/09/08ESET confirmed the bug and fixed
  2006/09/08ESET made available the updates


Overview:
 
Founded in 1992, ESET is a global provider of security software for
enterprises and consumers. ESET's award-winning, antivirus software system,
NOD32, provides real-time protection from known and unknown viruses,
spyware, rootkits and other malware. NOD32 offers the smallest, fastest and
most advanced protection available, with more Virus Bulletin 100% Awards
than any other antivirus product. ESET was named to Deloitte's Technology
Fast 500 five years running, and has an extensive partner network, including
corporations like Canon, Dell and Microsoft. ESET has offices in Bratislava,
SK; Bristol, U.K.; Buenos Aires, AR; Prague, CZ; San Diego, USA; and is
represented worldwide in more than 100 countries. 
The broad product platform protects Windows, Linux, Novell and MS DOS
machines.

Description:
A remotely exploitable vulnerability has been found in the file parsing
engine.

In detail, the following flaw was determined:

- Heap Overflow through Integer Overflow in .CAB file parsing

This problem can lead to remote arbitrary code execution if an attacker
carefully crafts a file that exploits the aforementioned vulnerability. The
vulnerability is present in NOD32 Antivirus software versions prior to the
update v.1.1743.

Solution:
The vulnerability was reported on Aug 24 and an update has been issued on
Sep 08 to solve this vulnerability through the regular update mechanism.



Credit: 
Bugs found by Sergio Alvarez of n.runs AG. 


The information provided is released by n.runs as is without warranty of
any kind. n.runs except all warranties, either express or implied, expect
for the warranties of merchantability. In no event shall n.runs be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if n.runs
has been advised of the possibility of such damages.
Distribution or Reproduction of the information is provided that the
advisory is not modified in any way.

Copyright 2006 n.runs. All rights reserved. Terms of use.