void DloadDS(
[in] BSTR bstrUrl,
[in] BSTR bstrName,
[in] long lShow);
When we set the parameter "bstrUrl" as a CAB file which can be download via "http" protocol, "DloadDS()" will try to download this file to Windows Internet Explorer temporary directory and try to execute the file named as parameter "bstrName", the key code as follows:
.text:1006F407 lea eax, [ebp-28h]
.text:1006F40A lea ecx, [ebp-10h]
.text:1006F40D push eax ; lpProcessInformation
.text:1006F40E lea eax, [ebp-6Ch]
necessary changes.
Details follow:
It was discovered that ClamAV did not properly verify its input when
processing CAB files. A remote attacker could send a specially crafted
CAB file to evade malware detection. (CVE-2010-0098)
It was discovered that ClamAV did not properly verify its input when
processing CAB files. A remote attacker could send a specially crafted
CAB file and cause a denial of service via application crash.
Multiple vulnerabilities has been found and corrected in cabextract:
The MS-ZIP decompressor in cabextract before 1.3 allows remote
attackers to cause a denial of service (infinite loop) via a malformed
MSZIP archive in a .cab file during a test or extract action, related
to the libmspack library (CVE-2010-2800).
Integer signedness error in the Quantum decompressor in cabextract
before 1.3, when archive test mode is used, allows user-assisted
remote attackers to cause a denial of service (application crash)
Mitigation recommendations from Trend:
1. Set the "Virus Scan > Action > Files outside of scan restriction
Criteria" to any of the secured options. Quarantined entire message
and set to Notify
2. The CAB file will be blocked and the Administrator will
receive the email notification.
ScanMail for Domino Suites
Impact: Protection is bypassed by default, detection is also bypassed after mitigation
but file is quarantined as "non extractable".
