Signature Detail

HTTP: McAfee Multiple Products LHA File Handling Buffer Overflow

There exists a vulnerability in the way McAfee Antivirus Library parses LHA compressed files. The vulnerable archive parser does not perform sufficient bounds checking on the file name field in the header of LHA archive files before copying the field into a buffer, resulting in a buffer overflow. An attacker can exploit this vulnerability to execute arbitrary code in SYSTEM context on the target system by sending a specially crafted LHA file to the target. Upon receiving a simple attack, the thread of the vulnerable product will crash when it try to scan the malicious LHA archive for known trojans or viruses, therefore an malicious LHA archive may be downloaded and stored on the local file system without the affected product raising a warning or otherwise informing the user of a potential threat. The product in such a case exhibits ineffective and misleading behaviour. In an attack that allows code execution, the target system's behaviour is entirely dependent on the intended purpose of the injected code. The code will execute with system privileges.

Extended Description

LHA has been reported prone to multiple vulnerabilities that may allow a malicious archive to execute arbitrary code or corrupt arbitrary files when the archive is operated on. The first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). LHA is reported prone to two stack-based buffer-overflow vulnerabilities. An attacker may exploit these vulnerabilities to execute supplied instructions with the privileges of the user who invoked the affected LHA utility. The second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer-overflow vulnerabilities that were reported, LHA has been reported prone to several directory-traversal issues. An attacker may likely exploit these directory-traversal vulnerabilities to corrupt/overwrite files in the context of the user who is running the affected LHA utility. **NOTE: Reportedly, this issue may also cause a denial-of-service condition in the ClearSwift MAILsweeper products due to code dependency. **Update: Many F-Secure Anti-Virus products are also reported prone to the buffer-overflow vulnerability.

Affected Products

• Barracuda Networks Barracuda Spam Firewall 3.1.17 firmware
• Barracuda Networks Barracuda Spam Firewall 3.1.18 firmware
• Clearswift MailSweeper 4.0.0
• Clearswift MailSweeper 4.1.0
• Clearswift MailSweeper 4.2.0
• Clearswift MailSweeper 4.3.0
• Clearswift MailSweeper 4.3.10
• Clearswift MailSweeper 4.3.11
• Clearswift MailSweeper 4.3.13
• Clearswift MailSweeper 4.3.3
• Clearswift MailSweeper 4.3.4
• Clearswift MailSweeper 4.3.5
• Clearswift MailSweeper 4.3.6
• Clearswift MailSweeper 4.3.6 SP1
• Clearswift MailSweeper 4.3.7
• Clearswift MailSweeper 4.3.8
• F-Secure Anti-Virus 2003
• F-Secure Anti-Virus 2004
• F-Secure Anti-Virus Client Security 5.50.0
• F-Secure Anti-Virus Client Security 5.52.0
• F-Secure Anti-Virus for Linux Gateways 4.51.0
• F-Secure Anti-Virus for Linux Gateways 4.52.0
• F-Secure Anti-Virus for Linux Servers 4.51.0
• F-Secure Anti-Virus for Linux Servers 4.52.0
• F-Secure Anti-Virus for Linux Workstations 4.51.0
• F-Secure Anti-Virus for Linux Workstations 4.52.0
• F-Secure Anti-Virus for MIMEsweeper 5.41.0
• F-Secure Anti-Virus for MIMEsweeper 5.42.0
• F-Secure Anti-Virus for MS Exchange 6.21.0
• F-Secure Anti-Virus for Samba Servers 4.60.0
• F-Secure Anti-Virus for Windows Servers 5.41.0
• F-Secure Anti-Virus for Windows Servers 5.42.0
• F-Secure Anti-Virus for Workstations 5.41.0
• F-Secure Anti-Virus for Workstations 5.42.0
• F-Secure F-Secure for Firewalls 6.20.0
• F-Secure Internet Gatekeeper 6.31.0
• F-Secure Internet Gatekeeper 6.32.0
• F-Secure Internet Security 2003 Null
• F-Secure Internet Security 2004 Null
• F-Secure Personal Express 4.5.0
• F-Secure Personal Express 4.6.0
• F-Secure Personal Express 4.7.0
• McAfee Active Mail Protection Null
• McAfee Active Threat Protection Null
• McAfee Active Virus Defense SMB Edition Null
• McAfee ASaP VirusScan
• McAfee GroupShield for Exchange 5.5.0
• McAfee GroupShield for Lotus Domino Null
• McAfee GroupShield for Mail Servers with ePO Null
• McAfee Internet Security Suite Null
• McAfee LinuxShield Null
• McAfee Managed VirusScan Null
• McAfee NetShield for Netware Null
• McAfee PortalShield for Microsoft SharePoint Null
• McAfee SecurityShield for Microsoft ISA Server Null
• McAfee Virex Null
• McAfee VirusScan 1.0.0
• McAfee VirusScan 2.0.0
• McAfee VirusScan 3.0.0
• McAfee VirusScan 4.0.0
• McAfee VirusScan 4.0.3
• McAfee VirusScan 4.5.0
• McAfee VirusScan 4.5.1
• McAfee VirusScan 5.0.0
• McAfee VirusScan 6.0.0
• McAfee VirusScan 7.0.0
• McAfee VirusScan 7.1.0
• McAfee VirusScan 8.0.0
• McAfee VirusScan 9.0.0
• McAfee VirusScan Command Line
• McAfee VirusScan Enterprise 8.0.0 i
• McAfee VirusScan for NetApp
• McAfee VirusScan Professional
• McAfee Webshield Appliances Null
• McAfee WebShield SMTP 4.5
• Mr. S.K. LHA 1.14.0
• Mr. S.K. LHA 1.15.0
• Mr. S.K. LHA 1.17.0
• RARLAB WinRar 3.20.0
• Red Hat Fedora Core1
• Red Hat lha-1.14i-9.i386.rpm Null
• Red Hat Linux 7.3.0
• Red Hat Linux 7.3.0 I386
• Red Hat Linux 7.3.0 I686
• SGI ProPack 2.4.0
• SGI ProPack 3.0.0
• Stalker CGPMcAfee 3.2.0
• WinZip 9.0.0

References

• BugTraq: 10243
• CVE: CVE-2004-0234
• CVE: CVE-2005-0643