Info

Disclosure

May 10, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

i-NAV contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered due an input validation error within the "InstallProduct" routine of the "VUpdater.Install" ActiveX control. It is possible that the flaw may allow code execution of arbitrary files within ".CAB" archives resulting in a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Rumored / Private
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to the latest version (2006-05-10) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the 2006-05-10 release without a change in version number. An upgrade is required as there are no known workarounds.

Products

Verisign

i-NAV

Unknown or Unspecified

References

Security Tracker: 1016059
Bugtraq ID: 17939
CVE ID: 2006-2273 (see also: NVD)
Secunia Advisory ID: 20074
ISS X-Force ID: 26375
FrSIRT Advisory: ADV-2006-1763
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0260.html
Vendor Specific Solution URL: http://www.idnnow.com/index.jsp
Other Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-014.html
Keyword: ZDI-06-014

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/36218