The information has been provided by Juha-Matti Laurio.
The original article can be found at: http://www.networksecurity.fi/advisories/mcafee-virusscan.html
* DynaZip library versions 5.00.03 and prior.
The vulnerability is caused due to a boundary error in a 3rd-party compression library's (DUNZIP32.dll) old, vulnerable version used when handling packed signature files. InnerMedia DynaZip compression library mentioned is responsible for virus description file unpacking operations.
This can be exploited to cause a buffer overflow via a specially crafted signature file. When a specially crafted virus definition package containing a file with an overly long filename (a file name or files inside a package) is opened the attacker may be able to execute arbitrary code on user's system (see VU#582498 reference). Opening of signature file is an automatic operation of product's SecurityCenter.
The following file was copied to C:\Program Files\McAfee.com\Shared directory during an installation process when tested:
File name: dunzip32.dll
Time stamp: 8th April, 2005
File version: 126.96.36.199
Description: DynaZIP-32 Multi-Threading UnZIP DLL
Copyright information: Copyright (c) Inner Media, Inc. 1993-1996, All
The following processes use Dunzip32.dll library:
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (McAfee SecurityCenter Update Manager v6.x)
C:\PROGRA~1\McAfee.com\Shared\mghtml.exe (McAfee Security HTML Dialog v4.x)
From US-CERT VU#582498:
"Impact: If a remote attacker can persuade a user to access a specially crafted zip file, the attacker may be able to execute arbitrary code on that user's system possibly with elevated privileges."
Vendor has issued a patch shipped with immune library version 5.00.06. It can be obtained by downloading an updated product version or using product's SecurityCenter Updates feature.
Non-affected library has the following time stamp: 30th December, 2005. According to vendor response localized builds has been fixed as well.
Tested non-affected product version: Build 10.0.27
Vendor is reportedly in process to publish FAQ (version release) document to the McAfee/Network Associates KnowledgeBase
No working workarounds available.
* 23-Dec-2005 - Vulnerability researched and confirmed
* 29-Dec-2005 - Vendor was contacted
* 30-Dec-2005 - Vendor's reply
* 11-Jan-2006 - AVERT Labs informs about started version testing process
* 02-Mar-2006 - New contact to the vendor
* 02-Mar-2006 - Vendor's reply, issue was fixed on 24th January, vendor informs about upcoming FAQ release document
* 27-Mar-2006 - New contact to the vendor asking the state of FAQ release
* 30-Mar-2006 - Security companies and several CERT units contacted
* 30-Mar-2006 - Public disclosure