Signature Detail

HTTP: Cab File Multiple Vulnerabilities

This signature detects attempts to exploit a known vulnerability against multiple CAB file parsing programs. Attackers can send files or links to files containing hostile CAB files resulting in full control of the victim's computer.

Extended Description

A remote heap-overflow vulnerability exists in Sophos Anti-Virus Library when scanning CAB files. This issue is due to the library's failure to properly bounds-check user-supplied input before copying data to an internal memory buffer. Successfully exploiting this vulnerability could result in arbitrary code execution with the privileges of the application.

Affected Products

• Sophos Anti-Virus 3.4.6
• Sophos Anti-Virus 3.78.0
• Sophos Anti-Virus 3.78.0 d
• Sophos Anti-Virus 3.79.0
• Sophos Anti-Virus 3.80.0
• Sophos Anti-Virus 3.81.0
• Sophos Anti-Virus 3.82.0
• Sophos Anti-Virus 3.83.0
• Sophos Anti-Virus 3.84.0
• Sophos Anti-Virus 3.85.0
• Sophos Anti-Virus 3.86.0
• Sophos Anti-Virus 3.90.0
• Sophos Anti-Virus 3.91.0
• Sophos Anti-Virus 3.95.0
• Sophos Anti-Virus 3.96.0 .0
• Sophos Anti-Virus 4.04
• Sophos Anti-Virus 4.5.11
• Sophos Anti-Virus 4.7.1
• Sophos Anti-Virus 5.2.0
• Sophos Anti-Virus Small Business Edition 4.04
• Sophos MailMonitor for Exchange 4.04
• Sophos MailMonitor for Notes/Domino 4.04
• Sophos MailMonitor for Notes/Domino
• Sophos MailMonitor for SMTP 2.0.0
• Sophos MailMonitor for SMTP 2.1.0
• Sophos MailMonitor for SMTP 4.04
• Sophos PureMessage for UNIX 4.04
• Sophos PureMessage for Windows/Exchange 5.2.0
• Sophos PureMessage Small Business Edition 4.04

References

• BugTraq: 14998
• BugTraq: 17876
• CVE: CVE-2005-3142
• CVE: CVE-2006-0994