TSRT-06-05: Computer Associates eTrust AntiVirus WebScan Automatic Update Code Execution Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-05.html August 7, 2006 -- CVE ID: CVE-2006-3976 CVE-2006-3977 -- Affected Vendor: Computer Associates -- Affected Products: eTrust AntiVirus WebScan v1.1.0.1047 and earlier -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 26, 2006 by Digital Vaccine protection filter ID 4544. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on systems with affected installations of the Computer Associates eTrust AntiVirus WebScan ActiveX component. Successful exploitation requires that the target user browse to a malicious web page. The vulnerable component is typically installed as a prerequisite to the free online WebScan found at: http://www3.ca.com/securityadvisor/virusinfo/scan.aspx The specific flaw exists during the automatic update process for the WebScan ActiveX component. WebScan allows the initializing web page to specify the location that the component will use to download and install updates through the 'SigUpdatePathFTP' parameter (and potentially the 'SigUpdatePathHTTP' parameter). It downloads the 'filelist.txt' manifest and acquires any update files it lists. There is no verification performed by WebScan to assure the authenticity of the information in the file list or the files themselves. This leads to a possibility of two unique attacks. In the first attack (CVE-2006-3976), an attacker compresses a malicious file, creates a file listing that includes it and then points the update path to his/her server. The WebScan component will download and decompress the file on the local system. Other components on the system may load the file, and certain files (such as arclib.dll and vete.dll) will be loaded by WebScan itself. If either of these files is replaced by a malicious version, it becomes possible for an attacker to gain control of the system WebScan is installed on during the scanner's initialization process. In the second attack (CVE-2006-3977), an attacker compresses an outdated version of a legitimate Computer Associates file, and lists an inaccurate timestamp for the file in the update server's file listing. There is no verification on the time/date information provided by the remote server. It is possible for an attacker to install a legitimate but extremely outdated version of virus definition files or engine components to severely limit the scope of the protection provided by WebScan. -- Vendor Response: Computer Associates has addressed this issue in the latest version of their WebScan product. More information from the vendor is available at: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34509 -- Disclosure Timeline: 2006.07.17 - Vulnerability reported to vendor 2006.07.26 - Digital Vaccine released to TippingPoint customers 2006.08.07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Matthew Murphy, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service.