HTTP: McAfee Multiple Products LHA File Handling Buffer Overflow
There exists a vulnerability in the way McAfee Antivirus Library parses LHA compressed files. The vulnerable archive parser does not perform sufficient bounds checking on the file name field in the header of LHA archive files before copying the field into a buffer, resulting in a buffer overflow. An attacker can exploit this vulnerability to execute arbitrary code in SYSTEM context on the target system by sending a specially crafted LHA file to the target. Upon receiving a simple attack, the thread of the vulnerable product will crash when it try to scan the malicious LHA archive for known trojans or viruses, therefore an malicious LHA archive may be downloaded and stored on the local file system without the affected product raising a warning or otherwise informing the user of a potential threat. The product in such a case exhibits ineffective and misleading behaviour. In an attack that allows code execution, the target system's behaviour is entirely dependent on the intended purpose of the injected code. The code will execute with system privileges.
Extended Description
LHA has been reported prone to multiple vulnerabilities that may allow a malicious archive to execute arbitrary code or corrupt arbitrary files when the archive is operated on. The first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). LHA is reported prone to two stack-based buffer-overflow vulnerabilities. An attacker may exploit these vulnerabilities to execute supplied instructions with the privileges of the user who invoked the affected LHA utility. The second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer-overflow vulnerabilities that were reported, LHA has been reported prone to several directory-traversal issues. An attacker may likely exploit these directory-traversal vulnerabilities to corrupt/overwrite files in the context of the user who is running the affected LHA utility. **NOTE: Reportedly, this issue may also cause a denial-of-service condition in the ClearSwift MAILsweeper products due to code dependency. **Update: Many F-Secure Anti-Virus products are also reported prone to the buffer-overflow vulnerability.
Affected Products
Barracuda_networks barracuda_spam_firewall,Clearswift mailsweeper
Short Name
HTTP:STC:DL:MCAF-LHA-OF
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
Buffer CVE-2004-0234 CVE-2005-0643 File Handling LHA McAfee Multiple Overflow Products bid:10243
Release Date
12/21/2011
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3739
False Positive
Unknown
Vendors
Red_hat
F-secure
Barracuda_networks
Rarlab
Sgi
Mcafee
Stalker
Mr._s.k.
Winzip
Clearswift
CVSS Score
7.5
10.0