SecuriTeam - AVG Anti-Virus Arbitrary Code Execution

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Grisoft is "focused on developing software solutions that provide protection from computer viruses. Grisoft's primary focus is to deliver the most comprehensive and proactive protection available on the market.

Distributed globally through resellers and through the internet, the AVG Anti-Virus product line supports all major operating systems and platforms. More than 40 million users around the world use Grisoft AVG products to protect their computers and networks".

Multiple vulnerabilities have been found in AVG Anti-Virus's file parsing engine which allow attackers to overflow internal buffers and cause denial of service.

Credit:
The information has been provided by Sergio Alvarez.
The original article can be found at: http://www.grisoft.com/doc/36365/lng/us/tpl/tpl01

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* AVG Antivirus software version 7.1.406 and prior

Immune Systems:
* AVG Antivirus software version 7.1.407 or newer

In detail, the following flaws were determined:
* Heap Overflow through Integer Overflow in .CAB file parsing
* Uninitialized Variable flaw in .CAB file parsing.
* Divide by Zero in .DOC file parsing.
* Heap Overflow through Integer Overflow in .RAR file parsing
* Integer Issues in .EXE file parsing.

These problems can lead to remote arbitrary code execution if an attacker carefully crafts a file that exploits one or more of the aforementioned vulnerabilities. The vulnerabilities are present in AVG Antivirus software versions prior to 7.1.407.

Solution:
The vulnerabilities were reported on Aug 24 and the fixes were released on
Sep 20. The updated software versions are available from
http://www.grisoft.com/doc/10/lng/us/tpl/tpl01

Disclosure Timeline:
2006/08/24 - initial notification to Grisoft Inc.
2006/08/24 - Grisoft Inc. Response
2006/08/25 - PGP keys exchange
2006/08/25 - PoC files sent to Grisoft Inc.
2006/08/30 - Bugs Confirmation, Timeframe Coordination for patchs development and testing
2006/09/20 - Grisoft Inc. released Update with fixes

Subject:	Virus found Exploit	Date:	2 Dec. 2007
From:	Tarang
AVG Anti Virus detects Exploit but it does not put it in the vault. it is a vulnerability in AVG which it is yet to take care of

	SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability
	Dojo Toolkit SDK Multiple DOM-Based XSS Vulnerabilities
	Microsoft Indeo Codec Memory Corruption Vulnerability
	HP DDMI Execution of Arbitrary Code
	Microsoft Windows License Logging Service Heap Corruption Vulnerability
	Microsoft Office Excel Code Execution Vulnerabilities
	Microsoft SharePoint 2007 ASP.NET Source Code Disclosure
	Microsoft Windows Local Security Authority Integer Overflow Vulnerability
	Windows Kernel Multiple Vulnerabilities
	Microsoft Windows ActiveX Indexing Service Memory Corruption Vulnerability
	Microsoft IIS FTP Service Code Execution and DoS Vulnerability
	Microsoft GDI+ Multiple Vulnerabilities
	Microsoft .NET Common Language Runtime Multiple Vulnereabilities
	Microsoft Active Template Library ActiveX Controls Multiple Vulnerabilities
	ActiveX Active Template Library Initialization Vulnerability