TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... DVLabs and our Zero Day Initiative were credited with discovering 17 Microsoft vulnerabilities in 2006 alone.

Computer Associates WebScan Update Processing Buffer Overflow Vulnerability

TPTI-06-06: August 7th, 2006

CVE ID

Affected Vendors

Affected Products

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4544. For further product information on the TippingPoint IPS:

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on systems with affected installations of the Computer Associates eTrust AntiVirus WebScan ActiveX component. Successful exploitation requires that the target user browse to a malicious web page. The vulnerable component is typically installed as a prerequisite to the free online WebScan found at:

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

The specific flaw exists during WebScan's processing of the actual manifest files delivered during a scanner update check. It downloads a 'filelist.txt' file from this server, which is used as a manifest file to describe the updates available. Each line of the file consists of four fields in the following form:

[file name] [decimal integer] [decimal integer] [decimal integer]

A lack of bounds checking on the file names specified in update manifests may lead to a buffer overflow that can be easily exploited to execute arbitrary code. As WebScan allows the server for update downloads to be specified on a web page as an initialization parameter, a malicious manifest can be delivered from any server; it is not necessary to impersonate a legitimate update server.

Vendor Response

Computer Associates has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2006-07-17 - Vulnerability reported to vendor
    2006-08-07 - Coordinated public release of advisory

Credit

This vulnerability was discovered by: