Dr.Web anti-virus scanner executes malicious code
The anti-virus scanner Dr.Web can be made to execute arbitrary malicious code when searching through manipulated LHA archives. This has been revealed in a posting on the security mailing list Full Disclosure. This would enable an attacker to gain complete control over a system, if they can persuade the user to open a prepared archive file, for example by using a suggestive e-mail. The vulnerability has been demonstrated in version 4.33 of the Linux version of the scanner. The discoverer of the vulnerability, Jean-Sébastien Guay-Leroux, anticipates that the flaw will also be present in older versions. Versions for other operating systems, such as Windows, are probably also affected.
According to the advisory, processing of long directory names in LHA archives leads to a buffer overflow on the stack, which can be exploited to overwrite arbitrary memory addresses. A functional demo exploit for the Linux version of the scanners is included with the advisory. According to Guay-Leroux, the vendor was informed of the problem at the end of August; however, to date no version of Dr.Web in which this has been remedied has been released. Until it is, Guay-Leroux suggests, as a temporary workaround, completely deactivating the function for scanning archive files.
- Dr.Web 4.33 antivirus LHA long directory name heap overflow, advisory on Full Disclosure