I was the one that posted that message. Stalker Inc.'s two replies on the issue were:
*** REPLY #1 *** Thanks, no need. I believe McAfee engine uses the same LHA unpacking code as everyone else, so it's vulnerable. You can get rid of the problem if you run the plugin with -d flag which disables decompressing archives. However, it may cause certain modern viruses getting through because they send themselves as .zip files. *** REPLY #2 *** Today they have included the sample file I mailed them into DATs as Exploit-LHA.demo, see <http://vil.nai.com/vil/content/v_125014.htm>. Don't know if it fully closes the exploit (probably no), but at least you won't be able to stop anyone's scanner by mailing that sample .lha file. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Ulf > H�rnhammar > Sent: Wednesday, May 05, 2004 3:56 PM > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] LHa repercussions: WinZip, WinRar, > CommuniGate Pro McAfee plugin, blog > > > According to various sources on the net, the vulnerable LHa code > has been used > in other products. > > SecurityFocus says that WinZip and WinRar also are vulnerable to > the LHa buffer > overflows: > > http://www.securityfocus.com/bid/10243/info/ > > I have found a mailing list discussion about my LHa test archives > crashing the > McAfee plugin for CommuniGate Pro: > > http://mail.stalker.com/Lists/CGatePro/Message/61244.html > > I haven't had the time to verify either of those problems personally. > > There is also a blog entry about the security implications of > everyone using the > same LHa code (thanks to Kreiger for telling me about it): > > http://weblogs.asp.net/oldnewthing/archive/2004/05/04.aspx > > -- > Ulf Harnhammar > http://www.advogato.org/person/metaur/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
