Where facts are few, experts are many.

Sample navigation menu:

Home | Objectives | Tools & Research Advisories Blog | Contact |

Advisories

G-SEC™ regularly publishes advisories about vulnerabilities that we discovered during our research. G-SEC™ tries to follow responsible disclosure guidelines whenever possible.

More information »

Advisories

F-Secure - Generic PDF detection bypass

Release mode: Coordinated
Reference : [GSEC-46-2009] - Computer associates multiple products
Vendor : http://www.ca.com
Status : Patched
CVE : CVE-2009-3587 & CVE-2009-3588
Credit : https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=218878
Discovered by : Thierry Zoller (G-SEC)
Vendor reaction rating : near perfect*
* Continous feedback on progress - CVE numbers - In depth investigation of the issues at hand.

Affected products :

• CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1
• CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8
• CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8.1
• CA Anti-Virus 2007 (v8)
• CA Anti-Virus 2008
• CA Anti-Virus 2009
• CA Anti-Virus Plus 2009
• eTrust EZ Antivirus r7.1
• CA Internet Security Suite 2007 (v3)
• CA Internet Security Suite 2008
• CA Internet Security Suite Plus 2008
• CA Internet Security Suite Plus 2009
• CA Threat Manager for the Enterprise (formerly eTrust Integrated
  Threat Management) r8
• CA Threat Manager for the Enterprise (formerly eTrust Integrated
  Threat Management) 8.1
• CA Threat Manager Total Defense
• CA Gateway Security r8.1
• CA Protection Suites r2
• CA Protection Suites r3
• CA Protection Suites r3.1
• CA Secure Content Manager (formerly eTrust Secure Content
  Manager) 1.1
• CA Secure Content Manager (formerly eTrust Secure Content
  Manager) 8.0
• CA Network and Systems Management (NSM) (formerly Unicenter
  Network and Systems Management) r3.0
• CA Network and Systems Management (NSM) (formerly Unicenter
  Network and Systems Management) r3.1
• CA Network and Systems Management (NSM) (formerly Unicenter
  Network and Systems Management) r11
• CA Network and Systems Management (NSM) (formerly Unicenter
  Network and Systems Management) r11.1
• CA ARCserve Backup r11.5 on Windows
• CA ARCserve Backup r12 on Windows
• CA ARCserve Backup r12.0 SP1 on Windows
• CA ARCserve Backup r12.0 SP 2 on Windows
• CA ARCserve Backup r12.5 on Windows
• CA ARCserve Backup r11.1 Linux
• CA ARCserve Backup r11.5 Linux
• CA ARCserve for Windows Client Agent
• CA ARCserve for Windows Server component
• CA eTrust Intrusion Detection 2.0 SP1
• CA eTrust Intrusion Detection 3.0
• CA eTrust Intrusion Detection 3.0 SP1
• CA Common Services (CCS) r3.1
• CA Common Services (CCS) r11
• CA Common Services (CCS) r11.1
• CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)
• CA Anti-Virus Gateway (formerly eTrust Antivirus Gateway) 7.1
  

Affected Plattforms

• Windows
• UNIX
• Linux
• Solaris
• Mac OS X
• Netware
  

I. Background

Quote:
"CA is one of the world's largest IT management software providers. We serve more than 99% of Fortune 1000 companies, as well as government entities, educational institutions and thousands of other companies in diverse industries worldwide"

"CA Anti-Virus for the Enterprise is the next generation in comprehensive anti-virus security for business PCs, servers and PDAs. It combines proactive protection against malware with new, powerful management features that stop and remove malicious code before it enters your
network, reducing system downtime"

II. Description

Improper handling of a specially crafted RAR archive file by the CA Anti-Virus engine arclib component leads to heap corruption and allows the attacker to cause a denial of service or possibly further compromise the system.

Attacker has control over EBX :

Basic Block:
6e4305b0 mov cl,byte ptr [ebx]
Tainted Input Operands: ebx
6e4305b2 add edi,28h
6e4305b5 push edi
6e4305b6 lea edx,[esp+14h]
6e4305ba mov byte ptr [esp+14h],cl
Tainted Input Operands: cl
6e4305be inc ebx
Tainted Input Operands: ebx
6e4305bf push edx
6e4305c0 mov ecx,esi
6e4305c2 mov dword ptr [esp+1ch],ebx
Tainted Input Operands: ebx
6e4305c6 call arclib!arctkopenarchive+0x283a0 (6e42f9f0)

III. Impact

The impact ranges from Denial of Service to potential remote arbritary code execution.
Due to the nature of Anti-virus products, the attack vectors can be near endless. An attack
could be done over the way of an E-mail message carrying an RAR attachement (of a file
recognised as being RAR), USB, CD, Network data.

Please note that this is a general problem and not exclusive to Computer Associates.

V. Disclosure timeline
DD.MM.YYYY

• 11.05.2009 - Reported CVE-2009-3587
• 03.06.2009 - Reported CVE-2009-3588
• 09.10.2009 - CA releases advisory
  https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=218878
• 13.10.2009 - G-SEC releases advisory
  
  
  

Note: All trademarks mentioned herein belong to their respective owners.

© 2009 - 2019 G-SEC™