TippingPoint Threat Management Center


TSRT-06-06: Computer Associates eTrust AntiVirus WebScan Manifest Processing Buffer Overflow Vulnerability
August 7th, 2006

CVE ID:

CVE-2006-3975

Affected Vendor:

Computer Associates

Affected Products:

eTrust AntiVirus WebScan v1.1.0.1047 and earlier

TippingPoint(TM) IPS Customer Protection:

TippingPoint IPS customers have been protected against this vulnerability since July 26, 2006 by Digital Vaccine protection filter ID 4544. For further product information on the TippingPoint IPS:

   http://www.tippingpoint.com

Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on systems with affected installations of the Computer Associates eTrust AntiVirus WebScan ActiveX component. Successful exploitation requires that the target user browse to a malicious web page. The vulnerable component is typically installed as a prerequisite to the free online WebScan found at:

    http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

The specific flaw exists during WebScan's processing of the actual manifest files delivered during a scanner update check. It downloads a 'filelist.txt' file from this server, which is used as a manifest file to describe the updates available. Each line of the file consists of four fields in the following form:

    [file name] [decimal integer] [decimal integer] [decimal integer]

A lack of bounds checking on the file names specified in update manifests may lead to a buffer overflow that can be easily exploited to execute arbitrary code. As WebScan allows the server for update downloads to be specified on a web page as an initialization parameter, a malicious manifest can be delivered from any server; it is not necessary to impersonate a legitimate update server.

Vendor Response:

Computer Associates has addressed this issue in the latest version of their WebScan product. More information from the vendor is available at:

    http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34509

Disclosure Timeline:
2006.07.17 Vulnerability reported to vendor
2006.07.26 Digital Vaccine released to TippingPoint customers
2006.08.07 Coordinated public release of advisory

Credit:

This vulnerability was discovered by Matthew Murphy, TippingPoint Security Research Team.

GETTING STARTED CONTACT SUPPORT 3COM CAREERS SITE MAP ©2006 3Com Corporation. All rights reserved.   Terms & Conditions