Signature Detail

HTTP: Cab File Multiple Vulnerabilities

This signature detects attempts to exploit a known vulnerability against multiple CAB file parsing programs. Attackers can send files or links to files containing hostile CAB files resulting in full control of the victim's computer.

Extended Description

A remote heap-overflow vulnerability exists in Sophos Anti-Virus Library when scanning CAB files. This issue is due to the library's failure to properly bounds-check user-supplied input before copying data to an internal memory buffer. Successfully exploiting this vulnerability could result in arbitrary code execution with the privileges of the application.

Affected Products

• Sophos anti-virus 3.4.6
• Sophos anti-virus 3.78.0
• Sophos anti-virus 3.78.0 d
• Sophos anti-virus 3.79.0
• Sophos anti-virus 3.80.0
• Sophos anti-virus 3.81.0
• Sophos anti-virus 3.82.0
• Sophos anti-virus 3.83.0
• Sophos anti-virus 3.84.0
• Sophos anti-virus 3.85.0
• Sophos anti-virus 3.86.0
• Sophos anti-virus 3.90.0
• Sophos anti-virus 3.91.0
• Sophos anti-virus 3.95.0
• Sophos anti-virus 3.96.0 .0
• Sophos anti-virus 4.04
• Sophos anti-virus 4.5.11
• Sophos anti-virus 4.7.1
• Sophos anti-virus 5.2.0
• Sophos anti-virus_small_business_edition 4.04
• Sophos mailmonitor_for_exchange 4.04
• Sophos mailmonitor_for_notes/domino 4.04
• Sophos mailmonitor_for_notes/domino
• Sophos mailmonitor_for_smtp 2.0.0
• Sophos mailmonitor_for_smtp 2.1.0
• Sophos mailmonitor_for_smtp 4.04
• Sophos puremessage_for_unix 4.04
• Sophos puremessage_for_windows/exchange 5.2.0
• Sophos puremessage_small_business_edition 4.04

References

• BugTraq: 17876
• BugTraq: 14998
• CVE: CVE-2006-0994
• CVE: CVE-2005-3142