Full Disclosure mailing list archives
RE: LHa repercussions: WinZip, WinRar, CommuniGate Pro McAfee plugin, blog
From: "CommuniGate" <cgate () cgginc com>
Date: Thu, 6 May 2004 11:44:20 -0400
I was the one that posted that message. Stalker Inc.'s two replies on the issue were: *** REPLY #1 *** Thanks, no need. I believe McAfee engine uses the same LHA unpacking code as everyone else, so it's vulnerable. You can get rid of the problem if you run the plugin with -d flag which disables decompressing archives. However, it may cause certain modern viruses getting through because they send themselves as .zip files. *** REPLY #2 *** Today they have included the sample file I mailed them into DATs as Exploit-LHA.demo, see <http://vil.nai.com/vil/content/v_125014.htm>. Don't know if it fully closes the exploit (probably no), but at least you won't be able to stop anyone's scanner by mailing that sample .lha file.
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Ulf Härnhammar Sent: Wednesday, May 05, 2004 3:56 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] LHa repercussions: WinZip, WinRar, CommuniGate Pro McAfee plugin, blog According to various sources on the net, the vulnerable LHa code has been used in other products. SecurityFocus says that WinZip and WinRar also are vulnerable to the LHa buffer overflows: http://www.securityfocus.com/bid/10243/info/ I have found a mailing list discussion about my LHa test archives crashing the McAfee plugin for CommuniGate Pro: http://mail.stalker.com/Lists/CGatePro/Message/61244.html I haven't had the time to verify either of those problems personally. There is also a blog entry about the security implications of everyone using the same LHa code (thanks to Kreiger for telling me about it): http://weblogs.asp.net/oldnewthing/archive/2004/05/04.aspx -- Ulf Harnhammar http://www.advogato.org/person/metaur/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- LHa repercussions: WinZip, WinRar, CommuniGate Pro McAfee plugin, blog Ulf Härnhammar (May 05)
- RE: LHa repercussions: WinZip, WinRar, CommuniGate Pro McAfee plugin, blog CommuniGate (May 06)