Kaspersky AntiVirus and F-Secure Anti-Virus CHM file buffer overflow

kaspersky-fsecure-chm-bo (22564) The risk level is classified as HighHigh Risk

Description:

Kaspersky Antivirus (KAV) and F-Secure Anti-Virus are vulnerable to a heap-based buffer overflow. If a corrupt CHM file is scanned by the KAV engine, a remote attacker could overflow a buffer and execute arbitrary code on the system with user privileges, or possibly disable the antivirus functionality.

Note: It is reported that Microsoft Windows does not allow execution of code under these conditions.

Platforms Affected:

  • F-Secure, AntiVirus 4.50
  • Kaspersky, Kaspersky Anti-Virus On-Demand Scan 5.0.5
  • Kaspersky, Kaspersky Anti-Virus Personal 5.0.227

Remedy:

Update your Kaspersky or F-Secure anti-virus software to the latest version (July 2005 or later). See References.

Consequences:

Gain Access

References:

  • F-Secure Web site, f-secure at http://www.f-secure.com/.
  • iDEFENSE Security Advisory 10.10.05, Kaspersky Anti-Virus Engine CHM File Parser Buffer Overflow Vulnerability at http://www.idefense.com/application/poi/display?id=318&type=vulnerabilities.
  • Kaspersky Web site, anti-hacker programs - Linux virus protection software at http://www.kaspersky.com/buyonline.html?info=967571.
  • ASA-2007-018: HP-UX Apache Remote Execution of Arbitrary Code Denial of Service (DoS) and Unauthorized Access (HPSBUX02186)
  • BID-15054: Kaspersky Anti-Virus Engine CHM File Parser Remote Buffer Overflow Vulnerability
  • CVE-2005-2937: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-3663, CVE-2005-3664. Reason: this candidate was intended for one issue, but multiple advisories used this candidate for different issues. Notes: All CVE users should consult CVE-2005-3663 and CVE-2005-3664 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage.
  • CVE-2005-3664: Heap-based buffer overflow in Kaspersky Anti-Virus Engine, as used in Kaspersky Personal 5.0.227, Anti-Virus On-Demand Scanner for Linux 5.0.5, and F-Secure Anti-Virus for Linux 4.50 allows remote attackers to execute arbitrary code via a crafted CHM file.
  • OSVDB ID: 19912: Kaspersky Anti-Virus Engine CHM File Parsing Overflow
  • OSVDB ID: 19913: F-Secure Anti-Virus for Linux CHM File Parsing Overflow
  • SA17130: Kaspersky Anti-Virus Engine CHM File Parsing Buffer Overflow
  • SA17144: F-Secure Anti-Virus for Linux CHM File Parsing Buffer Overflow

Reported:

Oct 10, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page