RealPlayer, ClamAV, Nugache

There’s a buffer overflow in RealPlayer 11. We don’t have much detail at this time, however it is reported that this can be exploited with a maliciously crafted file opened with a vulnerable version. Opening a malicious file will result in the execution of code under the context of the user running the application.  The issue is reported in RealPlayer 11, other untested version may be vulnerable.

ClamAV version 0.92 contains multiple vulnerabilities. The first vulnerability is a race condition, where an attacker could generate a file with a specific name that would be called by a ClamAV function. This could allow the attacker to overwrite arbitrary files. The next issue is in the handling Base64-UUEncoded files. Attackers can create certain packed files that can bypass the scanner itself. The consequences of this should be self evident, and the possibility to occur is very real, due to the success rate of socially engineered emails and links.

More articles are emerging on the Nugache Trojan. Briefly, the Nugache Trojan is a very sophisticated piece of P2P controlled malware. Using decentralized management, nodes that can attach/detach, and encryption, this malware is a professional job. The authors of these articles seem to feel that the Storm and Nugache authors are the same, or share similar tactics. Once we see a full write up, we’ll post the details.