Sophos Anti-Virus CAB file parsing buffer overflow

sophos-cab-parsing-bo (26305) The risk level is classified as HighHigh Risk

Description:

Sophos Anti-Virus is vulnerable to a heap-based buffer overflow, caused by improper validation of Microsoft CAB files. By creating a malicious CAB file containing invalid folder count header values, a remote attacker could overflow a buffer and execute arbitrary code on the system once the malicious file is scanned.


Consequences:

Gain Access

Remedy:

Refer to Sophos Support Knowledgebase Article 4934 for upgrade information. See References.

References:

  • Full-Disclosure Mailing List, Mon May 08 2006 - 11:15:19 CDT: ZDI-06-012: Sophos Anti-Virus CAB Unpacking Code Execution Vulnerability.
  • Sophos Support Knowledgebase Article 4934: Crafted Microsoft CAB file can allow arbitrary code to be run.
  • ZDI-06-012: Sophos Anti-Virus CAB Unpacking Code Execution Vulnerability.
  • BID-17876: Sophos Anti-Virus CAB File Scanning Remote Heap Overflow Vulnerability
  • CVE-2006-0994: Multiple Sophos Anti-Virus products, including Anti-Virus for Windows 5.x before 5.2.1 and 4.x before 4.05, when cabinet file inspection is enabled, allows remote attackers to execute arbitrary code via a CAB file with invalid folder count values
  • SA20028: Sophos Anti-Virus Cabinet File Processing Memory Corruption
  • SECTRACK ID: 1016041: Sophos Anti-Virus Buffer Overflow in Parsing CAB Headers Lets Remote Users Execute Arbitrary Code
  • VUPEN/ADV-2006-1730: Sophos AntiVirus Products Cabinet File Handling Memory Corruption Vulnerability

Platforms Affected:

  • Sophos MailMonitor for Exchange 4.04 and prior
  • Sophos MailMonitor for Notes/Domino 4.04 and prior
  • Sophos MailMonitor for SMTP - Windows 4.04 and prior
  • Sophos PureMessage for Windows/Exchange 5.2.0 and prior
  • Sophos PureMessage Small Business Edition 4.04 and prior
  • Sophos Sophos Anti-Virus for DOS/Windows 3.1 4.04 and prior
  • Sophos Sophos Anti-Virus for Mac OS 8/9 4.04 and prior
  • Sophos Sophos Anti-Virus for Mac OS X 4.7.1 and prior
  • Sophos Sophos Anti-Virus for Netware 4.04 and prior
  • Sophos Sophos Anti-Virus for OpenVMS 4.04 and prior
  • Sophos Sophos Anti-Virus for OS/2 4.04 and prior
  • Sophos Sophos Anti-Virus for Unix/Linux 4.04 and prior
  • Sophos Sophos Anti-Virus for Win2000/XP/2003 4.04 and prior
  • Sophos Sophos Anti-Virus for Win2000/XP/2003 5.2.0 and prior
  • Sophos Sophos Anti-Virus for Win95/98/Me 4.04 and prior
  • Sophos Sophos Anti-Virus for Win95/98/Me 4.5.11 and prior
  • Sophos Sophos Anti-Virus for Windows NT 4.5.11 and prior
  • Sophos Sophos Anti-Virus Small Business Edition 4.04 and prior

Reported:

May 08, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page