Secunia Research: avast! Antivirus ACE File Handling Two Vulnerabilities

====================================================================== 

                     Secunia Research 21/07/2005

     - avast! Antivirus ACE File Handling Two Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Credits..............................................................5
References...........................................................6
About Secunia........................................................7
Verification.........................................................8

======================================================================
1) Affected Software

avast! 4 Home/Professional Edition Version 4.6.665
avast! Server Edition Version 4.6.460

The vendor has reported that avast! Managed Client is also affected.

Other versions may also be affected.

======================================================================
2) Severity

Rating: Highly critical
Impact: System access
        Manipulation of data
Where:  From remote

======================================================================
3) Description of Vulnerability

Secunia Research has discovered two vulnerabilities in avast!, which
can be exploited by malicious people to compromise a vulnerable
system.

1) An input validation error in a 3rd-party compression library
(UNACEV2.DLL) when extracting ACE archives for scanning can be
exploited to write files to arbitrary directories when scanning a
malicious archive containing a file with the "/../" directory
traversal sequence or an absolute path in its filename.

2) A boundary error in UNACEV2.DLL can cause a stack-based buffer
overflow when scanning a malicious ACE archive containing a file that has
a filename of more than 290 bytes.

Successful exploitation allows execution of arbitrary code and writing
of files to arbitrary directories, but requires that ACE archive
scanning is enabled.

======================================================================
4) Solution

Update to a fixed version.

Home/Professional Edition:
Fixed in version 4.6.691.

Server Edition:
Fixed in version 4.6.489.

Managed Client:
Fixed in version 4.6.394.

======================================================================
5) Credits

Discovered by Tan Chew Keong, Secunia Research.

======================================================================
6) References

http://www.avast.com/eng/av4_revision_history.html
http://www.avast.com/eng/avast_server_edition.html
http://www.avast.com/eng/257.html

======================================================================
7) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia web site:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
8) Verification

Please verify this advisory by visiting the Secunia web site:
http://secunia.com/secunia_research/2005-20/advisory/

Complete list of vulnerability reports released by Secunia Research:
http://secunia.com/secunia_research/

=====================================================================