Published:2007/02/10  Last Updated:2008/05/21

JVN#77366274
CCC Cleaner buffer overflow vulnerability

Overview

CCC Cleaner, provided by Cyber Clean Center between January 25 and February 9, 2007, contains a buffer overflow vulnerability that occurs when it scans UPX-packed executables.

This vulnerability is caused by a buffer overflow vulnerability in the scan processing of UPX compressed executables found in TrendMicro Antivirus. For details of this vulnerability, please refer to TrendMicro's website.

Products Affected

  • CCC Cleaner (CCC pattern Ver:185)
CCC Cleaner is affected by this vulnerability only when the following file is contained in the "CCC Cleaner" folder.

Filenames: lpt$vpn.185

As of February 13, 2006, Trend Micro has announced that the vulnerability "the Anti-Rootkit Common Module (TmComm.sys)" disclosed on February 11, 2006 does not affect CCC Cleaner. For more information, refer to the vendor's website.

Description

Impact

Arbitrary code could be executed when CCC Cleaner scans UPX-packed files.

Solution

Vendor Status

Vendor Link
JPCERT Coordination Center http://www.jpcert.or.jp/pr/2007/pr070002.pdf
Cyber Clean Center https://www.ccc.go.jp/index.html
https://www.ccc.go.jp/flow/index.html

References

  1. Trend Micro Incorporated
    http://esupport.trendmicro.co.jp/supportjp/viewxml.do?ContentID=JP-2061390&id=JP-2061390
  2. US-CERT Vulnerability Note VU#276432
    Trend Micro AntiVirus fails to properly process malformed UPX packed executables
  3. US-CERT Vulnerability Note VU#282240
    Trend Micro Anti-Rootkit Common Module fails to properly restrict access to the "\\.\TmComm" DOS device interface

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2007.02.10

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication Limited - self-registration, perhaps valid e-mail
  • Medium-High
User Interaction Required Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Medium
Exploit Complexity Low-Medium - some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Medium-High

Description of each analysis measures

Credit

Other Information

JPCERT Alert JPCERT-AT-2007-0004
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2007-0851
JVN iPedia JVNDB-2007-000127

Update History