Computer Associates WebScan Update Processing Buffer Overflow Vulnerability
TPTI-06-06: August 7th, 2006CVE ID
Affected Vendors
Affected Products
TippingPoint™ IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4544. For further product information on the TippingPoint IPS:Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on systems with affected installations of the Computer Associates eTrust AntiVirus WebScan ActiveX component. Successful exploitation requires that the target user browse to a malicious web page. The vulnerable component is typically installed as a prerequisite to the free online WebScan found at:http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
The specific flaw exists during WebScan's processing of the actual manifest files delivered during a scanner update check. It downloads a 'filelist.txt' file from this server, which is used as a manifest file to describe the updates available. Each line of the file consists of four fields in the following form:
[file name] [decimal integer] [decimal integer] [decimal integer]
A lack of bounds checking on the file names specified in update manifests may lead to a buffer overflow that can be easily exploited to execute arbitrary code. As WebScan allows the server for update downloads to be specified on a web page as an initialization parameter, a malicious manifest can be delivered from any server; it is not necessary to impersonate a legitimate update server.
Vendor Response
Computer Associates has issued an update to correct this vulnerability. More details can be found at:Disclosure Timeline
-
2006-07-17 - Vulnerability reported to vendor
2006-08-07 - Coordinated public release of advisory
