General discussion

VULNERABILITIES - February 9, 2005

TITLE:
Symantec Multiple Products UPX Parsing Engine Buffer Overflow

SECUNIA ADVISORY ID:
SA14179

VERIFY ADVISORY:
http://secunia.com/advisories/14179/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

OPERATING SYSTEM:
Symantec Gateway Security 1.x
http://secunia.com/product/876/
Symantec Gateway Security 2.x
http://secunia.com/product/3104/

SOFTWARE:
Norton Internet Security 2004
http://secunia.com/product/2441/
Norton Internet Security 2004 Professional
http://secunia.com/product/2442/
Norton SystemWorks 2004
http://secunia.com/product/2796/
Symantec AntiVirus Corporate Edition 8.x
http://secunia.com/product/659/
Symantec AntiVirus Corporate Edition 9.x
http://secunia.com/product/3549/
Symantec AntiVirus for Caching 4.x
http://secunia.com/product/4626/
Symantec AntiVirus for Network Attached Storage 4.x
http://secunia.com/product/4625/
Symantec AntiVirus for SMTP Gateways 3.x
http://secunia.com/product/2231/
Symantec AntiVirus Scan Engine 4.x
http://secunia.com/product/3040/
Symantec AntiVirus/Filtering for Domino
http://secunia.com/product/2029/
Symantec Brightmail AntiSpam 4.x
http://secunia.com/product/4627/
Symantec Brightmail AntiSpam 5.x
http://secunia.com/product/4628/
Symantec Client Security 1.x
http://secunia.com/product/2344/
Symantec Client Security 2.x
http://secunia.com/product/3478/
Symantec Mail Security for Exchange 4.x
http://secunia.com/product/2820/
Symantec Mail Security for SMTP 4.x
http://secunia.com/product/3558/
Symantec Norton AntiVirus 2004
http://secunia.com/product/2800/
Symantec Norton AntiVirus for Microsoft Exchange 2.x
http://secunia.com/product/1017/
Symantec Web Security 3.x
http://secunia.com/product/2813/

DESCRIPTION:
ISS X-Force has reported a vulnerability in multiple Symantec
products, which can be exploited by malicious people to compromise a
vulnerable system.

The vulnerability is caused due to a boundary error in the DEC2EXE
parsing engine used by the antivirus scanning functionality when
processing UPX compressed files. This can be exploited to cause a
heap-based buffer overflow via a specially crafted UPX file.

Successful exploitation allows execution of arbitrary code.

The vulnerability affects the following products:
* Norton AntiVirus for Microsoft Exchange 2.1 (prior to build
2.18.85)
* Symantec Mail Security for Microsoft Exchange 4.0 (prior to build
4.0.10.465)
* Symantec Mail Security for Microsoft Exchange 4.5 (prior to build
4.5.3)
* Symantec AntiVirus/Filtering for Domino NT 3.1 (prior to build
3.1.1)
* Symantec Mail Security for Domino 4.0 (prior to build 4.0.1)
* Symantec AntiVirus/Filtering for Domino Ports 3.0 for AIX (prior to
build 3.0.6)
* Symantec AntiVirus/Filtering for Domino Ports 3.0 for OS400, Linux,
Solaris (prior to build 3.0.7)
* Symantec AntiVirus Scan Engine 4.3 (prior to build 4.3.3)
* Symantec AntiVirus for Network Attached Storage (prior to build
4.3.3)
* Symantec AntiVirus for Caching (prior to build 4.3.3)
* Symantec AntiVirus for SMTP 3.1 (prior to build 3.1.7)
* Symantec Mail Security for SMTP 4.0 (prior to build 4.0.2)
* Symantec Web Security 3.0 (prior to build 3.0.1.70)
* Symantec BrightMail AntiSpam 4.0
* Symantec BrightMail AntiSpam 5.5
* Symantec AntiVirus Corporate Edition 9.0 (prior to build
9.01.1000)
* Symantec AntiVirus Corporate Edition 8.01, 8.1.1
* Symantec Client Security 2.0 (prior to build 9.01.1000)
* Symantec Client Security 1.0
* Symantec Gateway Security 2.0, 2.0.1 - 5400 Series
* Symantec Gateway Security 1.0 - 5300 Series
* Symantec Norton Antivirus 2004 for Windows
* Symantec Norton Internet Security 2004 (pro) for Windows
* Symantec Norton System Works 2004 for Windows
* Symantec Norton Antivirus 2004 for Macintosh
* Symantec Norton Internet Security 2004 for Macintosh
* Symantec Norton System Works 2004 for Macintosh
* Symantec Norton Antivirus 9.0 for Macintosh
* Symantec Norton Internet Security for Macintosh 3.0
* Symantec Norton System Works for Macintosh 3.0

SOLUTION:
Updates are available (see the vendor advisory for details).

PROVIDED AND/OR DISCOVERED BY:
Alex Wheeler, ISS X-Force.

ORIGINAL ADVISORY:
Symantec:
http://www.sarc.com/avcenter/security/Content/2005.02.08.html

ISS X-Force:
http://xforce.iss.net/xforce/alerts/id/187

Discussion is locked

Follow
Reply to: VULNERABILITIES - February 9, 2005
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VULNERABILITIES - February 9, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Netscape Three Vulnerabilities

TITLE:
Netscape Three Vulnerabilities

SECUNIA ADVISORY ID:
SA14206

VERIFY ADVISORY:
http://secunia.com/advisories/14206/

CRITICAL:
Less critical

IMPACT:
Security Bypass, Cross Site Scripting, Manipulation of data

WHERE:
From remote

SOFTWARE:
Netscape 7.x
http://secunia.com/product/85/

DESCRIPTION:
mikx has discovered three vulnerabilities in Netscape, which can be
exploited by malicious people to plant malware on a user's system,
conduct cross-site scripting attacks and bypass certain security
restrictions.

1) Netscape validates an image against the "Content-Type" HTTP
header, but uses the file extension from the URL when saving an image
after a drag and drop event. This can e.g. be exploited to plant a
valid image with an arbitrary file extension and embedded script code
(e.g. .bat file) on the desktop by tricking a user into performing a
certain drag and drop event.

2) Missing URI handler validation when dragging a "javascript:" URL
to another tab can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an arbitrary site by
tricking a user into dragging a malicious link to another tab.

3) An error in the restriction of URI handlers loaded via plugins can
be exploited to link to certain restricted URIs (e.g. about:config).

This can further be exploited to trick a user into changing some
sensitive configuration settings.

The vulnerabilities have been confirmed in version 7.2. Other
versions may also be affected.

SOLUTION:
Use another browser.

PROVIDED AND/OR DISCOVERED BY:
Originally discovered by:
mikx

Reported in Netscape by:
Juha-Matti Laurio

ORIGINAL ADVISORY:
1) http://www.mikx.de/index.php?p=8
2) http://www.mikx.de/index.php?p=9
3) http://www.mikx.de/index.php?p=10

- Collapse -
VeriSign i-Nav Plug-In IDN Spoofing Security Issue

TITLE:
VeriSign i-Nav Plug-In IDN Spoofing Security Issue

SECUNIA ADVISORY ID:
SA14209

VERIFY ADVISORY:
http://secunia.com/advisories/14209/

CRITICAL:
Moderately critical

IMPACT:
Spoofing

WHERE:
From remote

SOFTWARE:
VeriSign i-Nav Plug-In
http://secunia.com/product/4623/

DESCRIPTION:
Eric Johanson has reported a security issue in i-Nav Plug-In, which
can be exploited by a malicious web site to spoof the URL displayed
in the address bar, SSL certificate, and status bar.

The problem is caused due to an unintended result of the IDN
(International Domain Name) implementation, which allows using
international characters in domain names.

This can be exploited by registering domain names with certain
international characters that resembles other commonly used
characters, thereby causing the user to believe they are on a trusted
site.

Secunia has constructed a test, which can be used to check if your
browser is affected by this issue:
http://secunia.com/multiple_browsers_idn_spoofing_test/

The issue has been confirmed in the last build of i-Nav Plug-In
(downloaded 2005-02-09).

SOLUTION:
Don't follow links from untrusted sources.

Manually type the URL in the address bar.

PROVIDED AND/OR DISCOVERED BY:
Originally described by:
Evgeniy Gabrilovich and Alex Gontmakher

Reported by:
Eric Johanson

ORIGINAL ADVISORY:
http://www.shmoo.com/idn/homograph.txt

OTHER REFERENCES:
The Homograph Attack:
http://www.cs.technion.ac.il/~gabr/papers/homograph.html

ICANN paper on IDN Permissible Code Point Problems:
http://www.icann.org/committees/idn/idn-codepoint-paper.htm

- Collapse -
RealArcade Two Vulnerabilities

TITLE:
RealArcade Two Vulnerabilities

SECUNIA ADVISORY ID:
SA14187

VERIFY ADVISORY:
http://secunia.com/advisories/14187/

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data, System access

WHERE:
From remote

SOFTWARE:
RealArcade 1.x
http://secunia.com/product/4622/

DESCRIPTION:
Luigi Auriemma has reported two vulnerabilities in RealArcade, which
can be exploited by malicious people delete arbitrary files or
compromise a user's system.

1) An integer overflow in the handling of RGS files, where the size
of the GUID and game name is used insecurely, can be exploited to
execute arbitrary code by tricking a user into opening a malicious
RGS file.

2) An input validation error in the handling of RGP files can be
exploited to delete arbitrary files via directory traversal attacks
in the "FILENAME" tag by tricking a user into opening a malicious RGP
file.

The vulnerabilities have been reported in version 1.2.0.994 and
prior.

SOLUTION:
Do not open untrusted RGS and RGP files.

PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma

ORIGINAL ADVISORY:
http://aluigi.altervista.org/adv/realarcade-adv.txt

CNET Forums

Forum Info