Vulnerabilities > CVE-2006-0337 - Archive Handling vulnerability in F-Secure

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
f-secure
nessus

Summary

Buffer overflow in multiple F-Secure Anti-Virus products and versions for Windows and Linux, including Anti-Virus for Windows Servers 5.52 and earlier, Internet Security 2004, 2005 and 2006, and Anti-Virus for Linux Servers 4.64 and earlier, allows remote attackers to execute arbitrary code via crafted ZIP archives.

Vulnerable Configurations

Part Description Count
Application
F-Secure
63

Nessus

NASL familyWindows
NASL idFSECURE_ARCHIVE_OVERFLOWS.NASL
descriptionThe version of F-Secure Anti-Virus installed on the remote Windows host is affected by multiple flaws in the way it handles ZIP and RAR archives. An attacker can exploit these, via specially crafted files, to bypass scanning or execute arbitrary code with SYSTEM privileges.
last seen2020-06-01
modified2020-06-02
plugin id20804
published2006-01-24
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20804
titleF-Secure ZIP/RAR Archive Handling Overflow Multiple RCE
code
#
# (C) Tenable Network Security, Inc.
#



include("compat.inc");

if (description) {
  script_id(20804);
  script_version("1.21");
  script_cvs_date("Date: 2018/07/11 17:09:26");

  script_cve_id("CVE-2006-0337", "CVE-2006-0338");
  script_bugtraq_id(16309);

  script_name(english:"F-Secure ZIP/RAR Archive Handling Overflow Multiple RCE");
  script_summary(english:"Checks for ZIP/RAR archive handling overflow vulnerabilities in F-Secure products.");

  script_set_attribute(attribute:"synopsis", value:
"An antivirus application installed on the remote host is affected by
multiple remote code execution vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The version of F-Secure Anti-Virus installed on the remote Windows
host is affected by multiple flaws in the way it handles ZIP and RAR
archives. An attacker can exploit these, via specially crafted files,
to bypass scanning or execute arbitrary code with SYSTEM privileges.");
  script_set_attribute(attribute:"see_also", value:"http://www.zoller.lu/");
  # https://web.archive.org/web/20060308134525/http://www.f-secure.com/security/fsc-2006-1.shtml
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3072c99e");
  script_set_attribute(attribute:"solution", value:
"Enable auto-updates if using F-Secure Internet Security 2004-2006,
F-Secure Anti-Virus 2004-2006, or F-Secure Personal Express version
6.20 or earlier. Alternatively, apply the appropriate hotfix as
referenced in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f-secure:f-secure_anti-virus");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/registry_full_access", "SMB/transport");
  script_require_ports(139, 445);

  exit(0);
}

include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("audit.inc");
include("misc_func.inc");

name    = kb_smb_name();
login   = kb_smb_login();
pass    = kb_smb_password();
domain  = kb_smb_domain();
port    = kb_smb_transport();

#if (!get_port_state(port))
#  exit(0);

#soc = open_sock_tcp(port);
#if (!soc) exit(0);

#session_init(socket:soc, hostname:name);
if(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');

rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1) {
  exit(0);
}

path = NULL;

hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
 NetUseDel();
 exit (0);
}

key[0] = "SOFTWARE\Data Fellows\F-Secure\Anti-Virus";
key[1] = "SOFTWARE\Data Fellows\F-Secure\Content Scanner Server";

item = "Path";

for (i=0; i<max_index(key); i++)
{
 hkey = RegOpenKey(handle:hklm, key:key[i], mode:MAXIMUM_ALLOWED);
 if (!isnull(hkey))
 {
  value = RegQueryValue(handle:hkey, item:item);
  if (!isnull(value))
    path[i] = value[1];

  RegCloseKey (handle:hkey);
 }
 else
   path[i] = NULL;
}

RegCloseKey (handle:hklm);
NetUseDel ();


vulnerable = FALSE;

for (i=0; i<max_index(path); i++)
{
 if (!isnull(path[i]) && is_accessible_share())
 {
  if ( hotfix_check_fversion(file:"fm4av.dll", version:"1.6.34.90", path:path[i]) == HCF_OLDER )
    vulnerable = TRUE;
  else if ( hotfix_check_fversion(file:"fslfpi.dll", version:"2.3.8.0", path:path[i]) == HCF_OLDER )
    vulnerable = TRUE;

  hotfix_check_fversion_end();
  if (vulnerable == TRUE)
    break;
 }
}

if (vulnerable == TRUE)
  security_hole(port);
else audit(AUDIT_HOST_NOT, 'affected');