f-prot antivirus useless buffer overflow

[Knud Erik Højgaard <kain () ircop dk>]

<crap>
This advisory may be found at http://kokanins.homepage.dk/
This advisory may not be reproduced, in part or in full, unless this notice
is included.
This advisory was written by knud.
</crap>

I. BACKGROUND

According to the vendor "F-Prot TM is a quick and easy to use antivirus
software package, specially designed to protect your data from virus
infection and to remove any virus that may have infected your
computersystem."
F-prot is available from www.f-prot.com.

II. DESCRIPTION

Insufficient bounds checking leads to execution of arbitrary code.
Useless exploit at http://kokanins.homepage.dk/f-prot.pl

III. ANALYSIS

Since f-prot is not suid/sgid the overflowing of the command line pose no
initial danger unless the admin interferes, and setting +s on strange
binaries must be considered inappropriate at the least.

IV. DETECTION

F-Prot FreeBSD for Small Business [TM] 3.12b, released on Sep. 30th 2002,
the latest available at the time of writing, is known to be vulnerable.

V. WORKAROUND

below

VI. VENDOR FIX

[mail received from vendor]

Dear Knud,
Thank you for your mail.
This as bean fixed.
best regards,
Arnar Thor

VII. CVE INFORMATION

unknown

VIII. DISCLOSURE TIMELINE

who cares

IX. CREDIT

knud

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html