McAfee Update
Sunday, 26. August 2007, 20:04:04
McAfee have finally released fixes for the DT_RPATH issue in their uvscan product, about 8 months after it was reported to them, you can get the latest version from here. They've also released fixes for the issues I found while fuzzing their scan engine, the advisories to those issues are here and here.
They're basically lying about the impact and their affected products ("Process Termination", wtf?). Their windows product was affected by both issues, and at least one of the issues was obviously exploitable, they are fully aware of this as they told me they had read secunia's report on the issue. But it seems like they have fixed it now at least.
I'm not interested in dealing with McAfee anymore, but if you are unfortunate enough to rely on their software and have some CPU cycles to burn, you might be interested in the fuzzer I wrote. It's very naive, but evidently is still able to find bugs. It was written by reverse engineering the API to their scan engine, and then simply intercepting filesystem operations.
To run it you need the file liblnxfv.so and the files clean.dat, names.dat and scan.dat from the vlnx distribution, which you can place in the wd.
You can compile it like so:
Then just run it with an input file you'ld like to fuzz, e.g. a zip/rar/ace file, or an .exe packed with one of the packers they support. I think I've found most of the low hanging fruit, but if you have one of the more obscure archive formats or packers they support, I'm sure you'll find something interesting if you can let it run for a few days.
Hah, another crash. The file vx.out contains the file that caused the crash. Let me know if you find anything interesting.
Download vxfuzz-0.01.tar.gz here.
If you get a message about AVScanObject() returning failure, ensure you have the files clean.dat, scan.dat and names.dat in the current working directory, and that the file you're fuzzing can be read.
They're basically lying about the impact and their affected products ("Process Termination", wtf?). Their windows product was affected by both issues, and at least one of the issues was obviously exploitable, they are fully aware of this as they told me they had read secunia's report on the issue. But it seems like they have fixed it now at least.
I'm not interested in dealing with McAfee anymore, but if you are unfortunate enough to rely on their software and have some CPU cycles to burn, you might be interested in the fuzzer I wrote. It's very naive, but evidently is still able to find bugs. It was written by reverse engineering the API to their scan engine, and then simply intercepting filesystem operations.
To run it you need the file liblnxfv.so and the files clean.dat, names.dat and scan.dat from the vlnx distribution, which you can place in the wd.
You can compile it like so:
$ gcc avtag.c open.c vxfuzz.c -o vxfuzz -Wl,-rpath,$PWD -L. -llnxfv
Then just run it with an input file you'ld like to fuzz, e.g. a zip/rar/ace file, or an .exe packed with one of the packers they support. I think I've found most of the low hanging fruit, but if you have one of the more obscure archive formats or packers they support, I'm sure you'll find something interesting if you can let it run for a few days.
$ ./vxfuzz input.exe [*] vxfuzz $Version: $ [*] ---------------------------- [*] PRNG SEED: 0x12cc65c1 [*] AVInitialise(); [*] AVScanObject(); [!] signal 11, attempting to dump progress. [+] Signal caught, dumping file to vx.out. $ uvscan --secure ./vx.out Segmentation fault
Hah, another crash. The file vx.out contains the file that caused the crash. Let me know if you find anything interesting.
Download vxfuzz-0.01.tar.gz here.
If you get a message about AVScanObject() returning failure, ensure you have the files clean.dat, scan.dat and names.dat in the current working directory, and that the file you're fuzzing can be read.
I have been watching the issue with one eye over the past year, and I must say that the whole circus has been one of the par excellence worst disclosures ever. Shame on you McAfee. Shame.
By anonymous user, # 28. August 2007, 17:58:43
شكرا
By anonymous user, # 29. August 2007, 07:16:51
I gotta sample exe packed with generic packer supported by Mcafee.
I don't see any signals one as you mentioned like,
[!] signal 11, attempting to dump progress.
[+] Signal caught, dumping file to vx.out.
All i see is,
[*] PROGRESS 0..
any thing else to be done..?
-SK
By anonymous user, # 5. September 2007, 09:45:33