Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21185
HistoryJan 18, 2009 - 12:00 a.m.

Errata: [TZO-2009-1] Avira Antivir - RAR - Division by Zero & Null Pointer Dereference

2009-01-1800:00:00
vulners.com
10
JSON

Errata :

Products listed but not affected :
AVIRA WebProtector for KEN! - Reason: Does not use the Scan Engine
Avira AntiVir Mobile - Reason: Does not use the same AV Engine

Avira requested the following products to be removed from the list,
for the reason that they are license models and not products per se,
it is arguable whether they should be listed or not, since the
licenses (most likely) include the vulnerable products:

AVIRA WebGate Suite - Reason: is a License Model
AVIRA SmallBusiness Suite -> Reason: is a License Model
AVIRA Business Bundle -> Reason: is a License Model
AVIRA AntiVir NetWork Bundle -> Reason: is a License Model
AVIRA AntiVir NetGate Bundle -> Reason: is a License Model
AVIRA AntiVir GateWay Bundle -> Reason: is a License Model
AVIRA AntiVir Campus (for Education) -> Reason: is a License Model

List of undisputed affected products :

Avira Antivr Free
Avira AntiVir Premium
Avira Premium Security Suite
Avira AntiVir Professional
Avira AntiVir for KEN! 4
Avira AntiVir SharePoint
Avira AntiVir Virus Scan Adapter for SAP NetWeaverยฎ
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir MIMEsweeper
Avira AntiVir Domino
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir ISA Server
Avira AntiVir MIMEsweeper

 Avira - RAR -Division by Zero & Null Pointer Dereference

Reference : [TZO-2009-1]-Avira Antivir
Location : http://blog.zoller.lu/2009/01/advisory-tzo-2009-1-avira-antivir-rar.html
Products : Avira Antivr Free
Avira AntiVir Premium
Avira Premium Security Suite
Avira AntiVir Professional
Avira AntiVir for KEN! 4
Avira AntiVir SharePoint
Avira AntiVir Virus Scan Adapter for SAP NetWeaverยฎ
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir MIMEsweeper
Avira AntiVir Domino
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir ISA Server
Avira AntiVir MIMEsweeper

Vendors and Products using the Avira Engine :
Important : The impact of this flaw on those devices has not been
tested nor confirmed to exist, there is however reason to believe
that the flaw existed in this products aswell.

http://www.avira.com/documents/utils/pdf/products/pi_system-integration_en.pdf

           AXIGEN Mail Server
           Clearswift Mimesweeper
           GeNUGate and GeNUGate Pro (optional addon)
           IQ.Suite

Vendor : http://www.avira.de

I. Background

Avira is a leading worldwide provider of  self-developed  protection
solutions for professional and private use. The company  belongs  to
the pioneers in this  sector  with  over  twenty  years  experience.

The protection experts have numerous  company  locations  throughout
Germany and cultivate partnerships in  Europe,   Asia  and  America.
Avira has more than 180 employees at their main office  in  Tettnang
near Lake Constance and is one  of  the  largest  employers  in  the
region.  There  are  around  250  people  employed  worldwide  whose
commitment is continually being confirmed by awards.  A  significant
contribution to protection is the Avira AntiVir  Personal  which  is
being  used  by   private    users    a    million    times    over.

AV-Comparatives e.V.  have  chosen  Avira  AntiVir  Premium  as  the
best anti-virus solution of 2008 

II. Description

By manipulating certain fields inside a RAR archive and attacker
might trigger division by zero and null point exceptions. The attack vector should be rated as
remote as an attachement to an e-mail is enough.

*Anybody else noticed that the amount of details in most
advisories have become less than usefull ?

III. Impact

In some cases the  impact  is  a  Denial  of  Service  condition  in
others to an invalid read size  of  4  bytes  which  again  in  some
cases lead to an null pointer dereference.

The RAR parser inside the  module  leads  to  various  errors  whose
exploitability index is rated "I don't have time for this now  -  so
let's say 'maybe'" also sometimes known as "I lack the  time  and/or
the skill to do so". 


FAULTING_IP: 
aepack!module_get_api+20ed9
0131cad9 8b10            mov     edx,dword ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0131cad9 (aepack!module_get_api+0x00020ed9)
   ExceptionCode: c0000005 (Access violation)
   ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000268
Attempt to read from address 00000268

FAULTING_THREAD:  00000144
DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  avscan.exe
OVERLAPPED_MODULE: Address regions for 'AVREP' and 'rcimage.dll' overlap

READ_ADDRESS:  00000268 
BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE
LAST_CONTROL_TRANSFER:  from 0131cb8c to 0131cad9

STACK_TEXT:  

0194f5fc 0131cb8c 0115bbfc 00000003 00000100 aepack!module_get_api+0x20ed9
0194f618 01319b96 0115bbfc 074cc4f4 00000002 aepack!module_get_api+0x20f8c
0194f654 0131a45a 00000010 01157160 00000001 aepack!module_get_api+0x1df96
0194f668 0131e7e0 000000d4 00f48ba8 011530d0 aepack!module_get_api+0x1e85a
0194f68c 01318c35 01157160 00000010 011530d0 aepack!module_get_api+0x22be0
00000000 00000000 00000000 00000000 00000000 aepack!module_get_api+0x1d035

FOLLOWUP_IP: 
aepack!module_get_api+20ed9
0131cad9 8b10            mov     edx,dword ptr [eax]

SYMBOL_NAME:  aepack!module_get_api+20ed9
MODULE_NAME: aepack
IMAGE_NAME:  aepack.dll
STACK_COMMAND:  ~2s ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_aepack.dll!module_get_api
BUCKET_ID: 
APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE_aepack!module_get_api+20ed9


IV. Disclosure Timeline

The Vulnerability notification policy i adhere to:
http://blog.zoller.lu/search/label/Vulnerability%20disclosure%20Policy

17/12/2008 : Sent notice to the correct mail adress
security@avira. com

17/12/2008 : Avira achknowledges receipt

17/12/2008 : Avira sends details of the root cause on the same
day "The crash occurs in a heavily corrupted, generated RAR
archive while extracting the contents of the 22nd file. We can't
give any file names as they are non-printable characters. "

13/01/2009 : Avira notifies me that the issue was fixed with an
update that shipped with AVPack 8.1.3.5 on the 09/01/2009

14/01/2009 : Avira states that all products have been affected
except "Securityy Management Center" and the "Internet Update
Manager". "Das bedeutet im Prinzip wirklich alle Produkte, ausser
Produkte wie eben das Security Management Center oder der Internet
Update Manager"

14/01/2009 : Release of this advisory

Thierry Zoller
http://blog.zoller.lu

JSON