Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2006-3977 to a friend New vulnerability? New tool? Tell us	CVE-2006-3977 CA eTrust AntiVirus WebScan Automatic Update Code Execution (Technical Details)     Credit: The information has been provided by Matthew Murphy, TippingPoint Security Research Team. The original article can be found at: http://www.tippingpoint.com/security/advisories/TSRT-06-05.html Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2006-3977 Details Check for CVE-2006-3977 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * eTrust AntiVirus WebScan version 1.1.0.1047 and prior This vulnerability allows remote attackers to execute arbitrary code on systems with affected installations of the Computer Associates eTrust AntiVirus WebScan ActiveX component. Successful exploitation requires that the target user browse to a malicious web page. The vulnerable component is typically installed as a prerequisite to the free online WebScan found at: http://www3.ca.com/securityadvisor/virusinfo/scan.aspx The specific flaw exists during the automatic update process for the WebScan ActiveX component. WebScan allows the initializing web page to specify the location that the component will use to download and install updates through the 'SigUpdatePathFTP' parameter (and potentially the 'SigUpdatePathHTTP' parameter). It downloads the 'filelist.txt' manifest and acquires any update files it lists. There is no verification performed by WebScan to assure the authenticity of the information in the file list or the files themselves. This leads to a possibility of two unique attacks. In the first attack (CVE-2006-3976), an attacker compresses a malicious file, creates a file listing that includes it and then points the update path to his/her server. The WebScan component will download and decompress the file on the local system. Other components on the system may load the file, and certain files (such as arclib.dll and vete.dll) will be loaded by WebScan itself. If either of these files is replaced by a malicious version, it becomes possible for an attacker to gain control of the system WebScan is installed on during the scanner's initialization process. In the second attack (CVE-2006-3977), an attacker compresses an outdated version of a legitimate Computer Associates file, and lists an inaccurate timestamp for the file in the update server's file listing. There is no verification on the time/date information provided by the remote server. It is possible for an attacker to install a legitimate but extremely outdated version of virus definition files or engine components to severely limit the scope of the protection provided by WebScan. Vendor Response: Computer Associates has addressed this issue in the latest version of their WebScan product. More information from the vendor is available at: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34509 Disclosure Timeline: 2006.07.17 - Vulnerability reported to vendor 2006.07.26 - Digital Vaccine released to TippingPoint customers 2006.08.07 - Coordinated public release of advisory CVE Information: CVE-2006-3976 CVE-2006-3977  Comments on CVE-2006-3977:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®