Vulnerabilities > CVE-2007-2972 - Remote vulnerability in Avira Antivir Antivirus

CVSS 7.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

network

low complexity

avira

nessus

NVD

Published: 2007-06-01

Updated: 2018-10-16

Summary

The file parsing engine in Avira Antivir Antivirus before 7.04.00.24 allows remote attackers to cause a denial of service (application crash) via a crafted UPX compressed file, which triggers a divide-by-zero error.

Vulnerable Configurations

Part	Description	Count
Application	Avira Avira Antivir * Avira AV Pack *	2

Nessus

NASL family	Windows
NASL id	AVIRA_FILE_VULNS.NASL
description	The remote host is running Avira AntiVir, an antivirus software application. The version of AntiVir installed on the remote host is reportedly prone to a buffer overflow in its LZH file processing code as well as denial of service vulnerabilities when parsing UPX and TAR files. An attacker may be able to exploit these issues to execute arbitrary code on the remote host, likely with LOCAL SYSTEM privileges, to crash the remote antivirus engine, or to cause the CPU to enter an endless loop.
last seen	2020-06-01
modified	2020-06-02
plugin id	25348
published	2007-05-31
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/25348
title	Avira AntiVir File Handling Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(25348); script_version("1.19"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_cve_id("CVE-2007-2972", "CVE-2007-2973", "CVE-2007-2974"); script_bugtraq_id(24187, 24239); script_name(english:"Avira AntiVir File Handling Vulnerabilities"); script_summary(english:"Checks version of AntiVir"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains an application that is affected by multiple issues."); script_set_attribute(attribute:"description", value: "The remote host is running Avira AntiVir, an antivirus software application. The version of AntiVir installed on the remote host is reportedly prone to a buffer overflow in its LZH file processing code as well as denial of service vulnerabilities when parsing UPX and TAR files. An attacker may be able to exploit these issues to execute arbitrary code on the remote host, likely with LOCAL SYSTEM privileges, to crash the remote antivirus engine, or to cause the CPU to enter an endless loop."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/May/506" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/May/512" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/May/545" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f04e4f51" ); script_set_attribute(attribute:"solution", value:"Use AntiVir's Update feature to upgrade to the latest version."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/28"); script_set_attribute(attribute:"patch_publication_date", value:"2007/05/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); include("audit.inc"); # Connect to the appropriate share. if (!get_kb_item("SMB/Registry/Enumerated")) exit(0); name = kb_smb_name(); port = kb_smb_transport(); #if (!get_port_state(port)) exit(0); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); #soc = open_sock_tcp(port); #if (!soc) exit(0); #session_init(socket:soc, hostname:name); if(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init'); rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); if (rc != 1) { NetUseDel(); exit(0); } # Connect to remote registry. hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE); if (isnull(hklm)) { NetUseDel(); exit(0); } # Grab installation path and version from the registry. paths = make_array(); prod = "Premium Security Suite"; key = "SOFTWARE\Avira\Premium Security Suite"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { value = RegQueryValue(handle:key_h, item:"Path"); if (!isnull(value)) { path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:value[1]); paths[prod] = path; } RegCloseKey (handle:key_h); } prod = "AntiVir Windows Server"; key = "SOFTWARE\H+BEDV\AVNetNT"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { value = RegQueryValue(handle:key_h, item:"Path"); if (!isnull(value)) { path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:value[1]); paths[prod] = path; } RegCloseKey (handle:key_h); } prod = "AntiVir Windows Workstation"; key = "SOFTWARE\H+BEDV\AntiVir Workstation"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { value = RegQueryValue(handle:key_h, item:"Path"); if (!isnull(value)) { path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:value[1]); paths[prod] = path; } RegCloseKey (handle:key_h); } RegCloseKey(handle:hklm); # If it's installed... if (max_index(keys(paths)) > 0) { foreach prod (keys(paths)) { path = paths[prod]; # Look at the affected files. share = ereg_replace(pattern:"^([A-Za-z]):.", replace:"\1$", string:path); avpack = ereg_replace(pattern:"^[A-Za-z]:(.)", replace:"\1\avpack32.dll", string:path); engine = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\avewin32.dll", string:path); NetUseDel(close:FALSE); rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc != 1) { NetUseDel(); exit(0); } ver_avpack = NULL; fh = CreateFile( file:avpack, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); if (!isnull(fh)) { ver_avpack = GetFileVersion(handle:fh); CloseFile(handle:fh); } ver_engine = NULL; fh = CreateFile( file:engine, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); if (!isnull(fh)) { ver_engine = GetFileVersion(handle:fh); CloseFile(handle:fh); } # Check the version numbers. affected = FALSE; if (!vuln && !isnull(ver_avpack)) { fix = split("7.03.00.09", sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(ver_avpack); i++) if (ver_avpack[i] < fix[i]) { affected = TRUE; break; } else if (ver_avpack[i] > fix[i]) break; } if (!affected && !isnull(ver_engine)) { fix = split("7.04.00.24", sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(ver_engine); i++) if (ver_engine[i] < fix[i]) { affected = TRUE; break; } else if (ver_engine[i] > fix[i]) break; } if (affected == TRUE) { report = string( "Nessus found an affected version of ", prod, "\n", "installed under :\n", "\n", " ", path ); security_hole(port:port, extra:report); break; } } } # Clean up. NetUseDel();

Summary

Vulnerable Configurations

Nessus

References