Title: McAfee Antivirus Library LHA Archive Handler Stack Based Buffer Overflow Vulnerability
Severity: CRITICAL
Description:
McAfee Antivirus Library is used by McAfee Antivirus software to process various file formats in order to detect whether the file contains malicious code.
McAfee Antivirus Library is reported prone to a buffer overflow vulnerability. The issue is reported to exist in the LHA archive parser. The affected library does not perform sufficient bounds checking on LHA type two header file name fields before copying the data into a finite process buffer. The library ensures that the maximum length of these file fields is not greater than 359 bytes before copying the data into a buffer that is 304 bytes in length. This will result in 55 bytes of memory adjacent to the affected buffer being corrupted with superfluous attacker-supplied data.
It is reported that this issue is a variant of the vulnerability that was initially reported in BID 10354 (Multiple LHA Buffer Overflow/Directory Traversal Vulnerabilities).
Although unclear, it is reported that the LHA archive must be especially malformed and conform to an alternate non-archive file format in order to trigger the vulnerability. Exploitation details will be updated as further research into this issue is completed.
A remote attacker may exploit this vulnerability to execute arbitrary code with SYSTEM privileges on a computer that is running the affected software.
This BID will be updated when further research into affected packages and exploitation details are complete.
Affected Products:
- McAfee Active Mail Protection
- McAfee Active Threat Protection
- McAfee Active Virus Defense
- McAfee Active Virus Defense SMB Edition
- McAfee Active VirusScan
- McAfee Active VirusScan SMB Edition
- McAfee GroupShield for Exchange 5.5.0
- McAfee GroupShield for Exchange 6.0.0
- McAfee GroupShield for Lotus Domino
- McAfee GroupShield for Mail Servers with ePO
- McAfee Internet Security Suite
- McAfee Internet Security Suite 2005
- McAfee LinuxShield
- McAfee Managed VirusScan
- McAfee NetShield for Netware
- McAfee PortalShield for Microsoft SharePoint
- McAfee SecurityShield for Microsoft ISA Server
- McAfee Virex
- McAfee VirusScan 1.0.0
- McAfee VirusScan 2.0.0
- McAfee VirusScan 3.0.0
- McAfee VirusScan 4.0.0
- McAfee VirusScan 4.0.3
- McAfee VirusScan 4.5.0
- McAfee VirusScan 4.5.1
- McAfee VirusScan 5.0.0
- McAfee VirusScan 6.0.0
- McAfee VirusScan 7.0.0
- McAfee VirusScan 7.1.0
- McAfee VirusScan 8.0.0
- McAfee VirusScan 9.0.0
- McAfee VirusScan ASaP
- McAfee VirusScan Command Line
- McAfee VirusScan Enterprise 7.1.0
- McAfee VirusScan Enterprise 8.0.0 i
- McAfee VirusScan Professional
- McAfee VirusScan for NetApp
- McAfee WebShield SMTP 4.5
- McAfee WebShield for Solaris 4.0.0
- McAfee Webshield 3000 4.3.20
- McAfee Webshield Appliances
References:
- Internet Security Systems: McAfee AntiVirus Library Stack Overflow
- McAfee: McAfee Security Bulletin - March 17th 2005
- McAfee: VirusScan 4320 Engine Buffer Overrun Vulnerability
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
