NOD32 Antivirus DOC parsing Arbitrary Code Execution Advisory

Affected Products: ESET NOD32 Antivirus
Vulnerability: Arbitrary Code Execution (remote)
Risk: HIGH


Vendor communication:
2006/08/24 initial notification of ESET
2006/08/28 ESET Response
2006/08/29 PGP keys exchange
2006/08/29 PoC files sent to ESET
2006/09/06 ESET initial feedback.
2006/09/08 ESET confirmed the bug and fixed
2006/09/08 ESET made available the updates


Description:
Multiple vulnerabilities have been found in the file parsing engine.


In detail, the following flaw was determined:


– Divide by Zero in .CHM file parsing.
– Heap Overflow through Integer Overflow in .DOC File Parsing


The .DOC problem can lead to remote arbitrary code execution if an attacker carefully crafts a file that exploits the aforementioned vulnerabilities.
The vulnerabilities are present in NOD32 Antivirus software versions prior to the update v.1.1743.


Solution:  The vulnerabilities were reported on Aug 24 and an update has been issued on Sep 08 to solve these vulnerabilities through the regular update mechanism.


Reference: http://www.securityfocus.com/archive/1/454949 (advisory published Dec. 20, 2006)

Leave a Reply