======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9
======================================================================
3) Description of Vulnerability
Secunia Research has discovered a vulnerability in various HAURI
anti-virus products, which can be exploited by malicious people to
write files to arbitrary directories.
The vulnerability is caused due to unsafe extraction of compressed
archives (e.g. ACE, ARJ, CAB, LZH, RAR, TAR and ZIP) into a temporary
directory before scanning. This can be exploited to write files into
arbitrary directories when scanning a malicious archive containing
files that have "/../" or "../../" directory sequences in their
filenames.
Successful exploitation allows writing of files to arbitrary
directories, which can potentially lead to code execution (e.g. by
overwriting certain startup files), but requires that compressed file
scanning is enabled.
ViRobot Linux Server 2.0:
http://www.globalhauri.com/html/download/down_unixpatch.html
ViRobot Expert 4.0 / ViRobot Advanced Server / LiveCall:
Updated version available via online update is still vulnerable when
scanning certain archive types.
Disable compressed file scanning and scan files only after they have
been confirmed not to contain directory traversal sequences in their
filenames and correctly extracted.
======================================================================
5) Time Table
30/06/2005 - Initial vendor notification.
12/07/2005 - Second vendor notification.
14/07/2005 - Vendor response.
08/08/2005 - Received notification that VR Expert and VR Advanced
Server has been fixed via online update.
09/08/2005 - Received notification that LiveCall has been fixed via
online update.
11/08/2005 - Notified vendor that certain archive types are still
affected.
17/08/2005 - Vendor released patch for VR Linux Server and disclosed
vulnerability information.
19/08/2005 - Public disclosure.
======================================================================
8) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:
http://secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
Secunia Research 19/08/2005
- HAURI Anti-Virus Compressed Archive Directory Traversal -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9
======================================================================
1) Affected Software
ViRobot Expert 4.0
ViRobot Advanced Server
ViRobot Linux Server 2.0
HAURI LiveCall
Other versions may also be affected.
======================================================================
2) Severity
Rating: Moderately critical
Impact: Security Bypass
Where: Remote
======================================================================
3) Description of Vulnerability
Secunia Research has discovered a vulnerability in various HAURI
anti-virus products, which can be exploited by malicious people to
write files to arbitrary directories.
The vulnerability is caused due to unsafe extraction of compressed
archives (e.g. ACE, ARJ, CAB, LZH, RAR, TAR and ZIP) into a temporary
directory before scanning. This can be exploited to write files into
arbitrary directories when scanning a malicious archive containing
files that have "/../" or "../../" directory sequences in their
filenames.
Successful exploitation allows writing of files to arbitrary
directories, which can potentially lead to code execution (e.g. by
overwriting certain startup files), but requires that compressed file
scanning is enabled.
======================================================================
4) Solution
Apply patches.
ViRobot Linux Server 2.0:
http://www.globalhauri.com/html/download/down_unixpatch.html
ViRobot Expert 4.0 / ViRobot Advanced Server / LiveCall:
Updated version available via online update is still vulnerable when
scanning certain archive types.
Disable compressed file scanning and scan files only after they have
been confirmed not to contain directory traversal sequences in their
filenames and correctly extracted.
======================================================================
5) Time Table
30/06/2005 - Initial vendor notification.
12/07/2005 - Second vendor notification.
14/07/2005 - Vendor response.
08/08/2005 - Received notification that VR Expert and VR Advanced
Server has been fixed via online update.
09/08/2005 - Received notification that LiveCall has been fixed via
online update.
11/08/2005 - Notified vendor that certain archive types are still
affected.
17/08/2005 - Vendor released patch for VR Linux Server and disclosed
vulnerability information.
19/08/2005 - Public disclosure.
======================================================================
6) Credits
Discovered by Tan Chew Keong, Secunia Research.
======================================================================
7) References
HAURI:
http://www.globalhauri.com/html/download/down_unixpatch.html
======================================================================
8) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:
http://secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-24/advisory/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
[ reply ]