Signature Detail

HTTP: McAfee Multiple Products LHA File Handling Buffer Overflow

There exists a vulnerability in the way McAfee Antivirus Library parses LHA compressed files. The vulnerable archive parser does not perform sufficient bounds checking on the file name field in the header of LHA archive files before copying the field into a buffer, resulting in a buffer overflow. An attacker can exploit this vulnerability to execute arbitrary code in SYSTEM context on the target system by sending a specially crafted LHA file to the target. Upon receiving a simple attack, the thread of the vulnerable product will crash when it try to scan the malicious LHA archive for known trojans or viruses, therefore an malicious LHA archive may be downloaded and stored on the local file system without the affected product raising a warning or otherwise informing the user of a potential threat. The product in such a case exhibits ineffective and misleading behaviour. In an attack that allows code execution, the target system's behaviour is entirely dependent on the intended purpose of the injected code. The code will execute with system privileges.

Extended Description

LHA has been reported prone to multiple vulnerabilities that may allow a malicious archive to execute arbitrary code or corrupt arbitrary files when the archive is operated on. The first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). LHA is reported prone to two stack-based buffer-overflow vulnerabilities. An attacker may exploit these vulnerabilities to execute supplied instructions with the privileges of the user who invoked the affected LHA utility. The second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer-overflow vulnerabilities that were reported, LHA has been reported prone to several directory-traversal issues. An attacker may likely exploit these directory-traversal vulnerabilities to corrupt/overwrite files in the context of the user who is running the affected LHA utility. **NOTE: Reportedly, this issue may also cause a denial-of-service condition in the ClearSwift MAILsweeper products due to code dependency. **Update: Many F-Secure Anti-Virus products are also reported prone to the buffer-overflow vulnerability.

Affected Products

• Barracuda_networks barracuda_spam_firewall 3.1.17 firmware
• Barracuda_networks barracuda_spam_firewall 3.1.18 firmware
• Clearswift mailsweeper 4.0.0
• Clearswift mailsweeper 4.1.0
• Clearswift mailsweeper 4.2.0
• Clearswift mailsweeper 4.3.0
• Clearswift mailsweeper 4.3.10
• Clearswift mailsweeper 4.3.11
• Clearswift mailsweeper 4.3.13
• Clearswift mailsweeper 4.3.3
• Clearswift mailsweeper 4.3.4
• Clearswift mailsweeper 4.3.5
• Clearswift mailsweeper 4.3.6
• Clearswift mailsweeper 4.3.6 SP1
• Clearswift mailsweeper 4.3.7
• Clearswift mailsweeper 4.3.8
• F-secure anti-virus_2003
• F-secure anti-virus_2004
• F-secure anti-virus_client_security 5.50.0
• F-secure anti-virus_client_security 5.52.0
• F-secure anti-virus_for_linux_gateways 4.51.0
• F-secure anti-virus_for_linux_gateways 4.52.0
• F-secure anti-virus_for_linux_servers 4.51.0
• F-secure anti-virus_for_linux_servers 4.52.0
• F-secure anti-virus_for_linux_workstations 4.51.0
• F-secure anti-virus_for_linux_workstations 4.52.0
• F-secure anti-virus_for_mimesweeper 5.41.0
• F-secure anti-virus_for_mimesweeper 5.42.0
• F-secure anti-virus_for_ms_exchange 6.21.0
• F-secure anti-virus_for_samba_servers 4.60.0
• F-secure anti-virus_for_windows_servers 5.41.0
• F-secure anti-virus_for_windows_servers 5.42.0
• F-secure anti-virus_for_workstations 5.41.0
• F-secure anti-virus_for_workstations 5.42.0
• F-secure f-secure_for_firewalls 6.20.0
• F-secure internet_gatekeeper 6.31.0
• F-secure internet_gatekeeper 6.32.0
• F-secure internet_security_2003 Null
• F-secure internet_security_2004 Null
• F-secure personal_express 4.5.0
• F-secure personal_express 4.6.0
• F-secure personal_express 4.7.0
• Mcafee active_mail_protection Null
• Mcafee active_threat_protection Null
• Mcafee active_virus_defense_smb_edition Null
• Mcafee asap_virusscan
• Mcafee groupshield_for_exchange 5.5.0
• Mcafee groupshield_for_lotus_domino Null
• Mcafee groupshield_for_mail_servers_with_epo Null
• Mcafee internet_security_suite Null
• Mcafee linuxshield Null
• Mcafee managed_virusscan Null
• Mcafee netshield_for_netware Null
• Mcafee portalshield_for_microsoft_sharepoint Null
• Mcafee securityshield_for_microsoft_isa_server Null
• Mcafee virex Null
• Mcafee virusscan 1.0.0
• Mcafee virusscan 2.0.0
• Mcafee virusscan 3.0.0
• Mcafee virusscan 4.0.0
• Mcafee virusscan 4.0.3
• Mcafee virusscan 4.5.0
• Mcafee virusscan 4.5.1
• Mcafee virusscan 5.0.0
• Mcafee virusscan 6.0.0
• Mcafee virusscan 7.0.0
• Mcafee virusscan 7.1.0
• Mcafee virusscan 8.0.0
• Mcafee virusscan 9.0.0
• Mcafee virusscan_command_line
• Mcafee virusscan_enterprise 8.0.0 i
• Mcafee virusscan_for_netapp
• Mcafee virusscan_professional
• Mcafee webshield_appliances Null
• Mcafee webshield_smtp 4.5
• Mr._s.k. lha 1.14.0
• Mr._s.k. lha 1.15.0
• Mr._s.k. lha 1.17.0
• Rarlab winrar 3.20.0
• Red_hat fedora Core1
• Red_hat lha-1.14i-9.i386.rpm Null
• Red_hat linux 7.3.0
• Red_hat linux 7.3.0 I386
• Red_hat linux 7.3.0 I686
• Sgi propack 2.4.0
• Sgi propack 3.0.0
• Stalker cgpmcafee 3.2.0
• Winzip winzip 9.0.0

References

• BugTraq: 10243
• CVE: CVE-2004-0234
• CVE: CVE-2005-0643