NOD32 Antivirus DOC parsing Arbitrary Code Execution Advisory

Affected Products: ESET NOD32 Antivirus
Vulnerability: Arbitrary Code Execution (remote)
Risk: HIGH

Vendor communication:
2006/08/24 initial notification of ESET
2006/08/28 ESET Response
2006/08/29 PGP keys exchange
2006/08/29 PoC files sent to ESET
2006/09/06 ESET initial feedback.
2006/09/08 ESET confirmed the bug and fixed
2006/09/08 ESET made available the updates

Multiple vulnerabilities have been found in the file parsing engine.

In detail, the following flaw was determined:

– Divide by Zero in .CHM file parsing.
– Heap Overflow through Integer Overflow in .DOC File Parsing

The .DOC problem can lead to remote arbitrary code execution if an attacker carefully crafts a file that exploits the aforementioned vulnerabilities.
The vulnerabilities are present in NOD32 Antivirus software versions prior to the update v.1.1743.

Solution:  The vulnerabilities were reported on Aug 24 and an update has been issued on Sep 08 to solve these vulnerabilities through the regular update mechanism.

Reference: (advisory published Dec. 20, 2006)

Leave a Reply