|Main Archive Page > Month Archives > full-disclosure-uk archives|
Avira - RAR -Division by Zero & Null Pointer Dereference
Vendors and Products using the Avira Engine : Important : The impact of this flaw on those devices has not been tested nor confirmed to exist, there is however reason to believe that the flaw existed in this products aswell.
http://www.avira.com/documents/utils/pdf/products/pi_system-integration_en.pdf AXIGEN Mail Server Clearswift Mimesweeper GeNUGate and GeNUGate Pro (optional addon) IQ.Suite Vendor : http://www.avira.de
The protection experts have numerous company locations throughout Germany and cultivate partnerships in Europe, Asia and America. Avira has more than 180 employees at their main office in Tettnang near Lake Constance and is one of the largest employers in the region. There are around 250 people employed worldwide whose commitment is continually being confirmed by awards. A significant contribution to protection is the Avira AntiVir Personal which is being used by private users a million times over.
AV-Comparatives e.V. have chosen Avira AntiVir Premium as the best anti-virus solution of 2008
*Anybody else noticed that the amount of details in most advisories have *become less than usefull ?*
The RAR parser inside the module leads to various errors whose exploitability index is rated "I don't have time for this now - so let's say 'maybe'" also sometimes known as "I lack the time and/or the skill to do so".
0131cad9 8b10 mov edx,dword ptr [eax] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0131cad9 (aepack!module_get_api+0x00020ed9)
ExceptionCode: c0000005 (Access violation)
Attempt to read from address 00000268
DEFAULT_BUCKET_ID: INVALID_POINTER_READ PROCESS_NAME: avscan.exe
OVERLAPPED_MODULE: Address regions for 'AVREP' and 'rcimage.dll' overlap
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE LAST_CONTROL_TRANSFER: from 0131cb8c to 0131cad9
STACK_TEXT: 0194f5fc 0131cb8c 0115bbfc 00000003 00000100 aepack!module_get_api+0x20ed9 0194f618 01319b96 0115bbfc 074cc4f4 00000002 aepack!module_get_api+0x20f8c 0194f654 0131a45a 00000010 01157160 00000001 aepack!module_get_api+0x1df96 0194f668 0131e7e0 000000d4 00f48ba8 011530d0 aepack!module_get_api+0x1e85a 0194f68c 01318c35 01157160 00000010 011530d0 aepack!module_get_api+0x22be0 00000000 00000000 00000000 00000000 00000000 aepack!module_get_api+0x1d035
0131cad9 8b10 mov edx,dword ptr [eax]
STACK_COMMAND: ~2s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_aepack.dll!module_get_api BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE_aepack!module_get_api+20ed9
IV. Disclosure Timeline
17/12/2008 : Sent notice to the correct mail adress security@avira. com
17/12/2008 : Avira achknowledges receipt
17/12/2008 : Avira sends details of the root cause on the same day "The crash occurs in a heavily corrupted, generated RAR archive while extracting the contents of the 22nd file. We can't give any file names as they are non-printable characters. "
13/01/2009 : Avira notifies me that the issue was fixed with an update that shipped with AVPack 126.96.36.199 on the 09/01/2009
14/01/2009 : Avira states that all products have been affected except "Securityy Management Center" and the "Internet Update Manager". "Das bedeutet im Prinzip wirklich alle Produkte, ausser Produkte wie eben das Security Management Center oder der Internet Update Manager"
14/01/2009 : Release of this advisory