Full Disclosure mailing list archives

Re: Re: Secunia Research: HAURI Anti-Virus Compressed Archive Directory Traversal


From: Mark Sec <mark.sec () gmail com>
Date: Tue, 23 Aug 2005 12:19:52 -0700

I have Hauri Antivirus, nice research but i remember Alex Hernandez on
the wild  with nice bugs, but i dont see nothing on the wild about him
:-) nice research :-)


greets to: 

Alex Hernandez and KF

- Mark 
CISSP





















On 23/08/05, KF (lists) <kf_lists () digitalmunition com> wrote:
Since we are talking about HAURI... there are a few exploitable system()
calls in the local setuid binaries. I have been to lazy to write them
up. Perhaps soon I'll get off my ass and document them.

Off the top of my head I think the setuid virobot binary calls
system("clear");
-KF

Steven M. Christey wrote:

The vulnerability is caused due to unsafe extraction of compressed
archives (e.g. ACE, ARJ, CAB, LZH, RAR, TAR and ZIP) into a temporary
directory before scanning. This can be exploited to write files into
arbitrary directories when scanning a malicious archive containing
files that have "/../" or "../../" directory sequences in their
filenames.

...

Apply patches.

ViRobot Linux Server 2.0:
http://www.globalhauri.com/html/download/down_unixpatch.html



This vendor page is titled "ViRobot Unix/Linux Server Security
Vulnerability Patch."

However, it goes on to describe a buffer overflow problem:

 1. Patch for Buffer Over Flow Vulnerability
 - Vulnerability Type
 : Buffer Over Flow

 - Introduction to Patch
 : Vulnerability Patch for BOF(Buffer Over Flow) via HTTP_COOKIE


There is no mention of directory traversal.

This inconsistency makes it unclear whether HAURI has specifically
fixed the directory traversal issue, and in addition it mentions
another potentially more serious issue that has likely been missed by
most advisory readers.

- Steve
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Current thread: