n.runs-SA-2008.002 F-Prot Out-of-Bound Memory Access DoS (remote) Advisory

Vendor: FRISK (F-Prot), http://www.f-prot.com
Affected Product: F-Prot Anti-Virus all platforms < 4.4.4
Vulnerability: Out-of-Bound Memory Access DoS (remote)
Risk: HIGH

2008/01/22 initial notification to FRISK
2008/01/22 FRISK Response
2008/01/22 PGP public keys exchange
2008/01/23 n.runs has problems importing FRISK's provided public
key, so proceed to search on the key servers and import
the available ones and informs FRISK about it
2008/01/23 FRISK replies that the keys on the key server are fine to
be used.
2008/01/23 PoC files sent to FRISK
2008/01/26 FRISK acknowledges the PoC files and informs about having
some problem reproducing them and requests exact version
and configuration used to trigger the vulnerability
2008/01/28 FRISK communicates to n.runs that they were able to
reproduce one of the issues that they had just fixed
and that the update will be included in the upcoming
update
2008/01/28 n.runs thanks FRISK for such a quick response, provides
the exact version used while bug hunting and informs that
the issues were found about a year before; the reason of
the late report is because it was overseen until now.
2008/01/29 FRISK replies that the version used in the test is quite
old (4.3.1 against actual 4.4.3) and that during that
time many bugs had been fixed
2008/03/16 n.runs realizes that FRISK has released the update
because of a post on 27.Feb.2008 at the following link:
http://www.wilderssecurity.com/showpost.php?p=1191859&postcount=98
n.runs decides to not launch the advisory because
couldn't find an official post.
2008/07/10 n.runs finds the official announcement:
http://www.f-prot.com/download/ReleaseNotesWindows.txt
2008/07/16 n.runs releases this advisory

Overview:

FRISK Software International, established in 1993, is one of the world's leading companies in antivirus research and product development. FRISK Software produces the hugely popular F-Prot Antivirus product range offering unrivalled heuristic detection capabilities. In addition to this, the F-Prot AVES managed online e-mail security service filters away the nuisance of spam e-mail as well as viruses, worms and other malware that increasingly clog up inboxes and threaten data security. By supporting a wide range of platforms FRISK Software protects computer networks of all sizes, running on diverse platforms. As a result, FRISK Software provides its customers with comprehensive computer security solutions.

Description:

A remotely exploitable vulnerability has been found in the files' parsing engine. In detail, the following flaw was determined:

- DoS caused by an Out-of-Bound Memory Access while parsing CHM file's header: if the nb_dir field (Chunk number of root index chunk) value is set to 0xffffffff pointers math takes place and ends up in an out-of-bound read attempt.