TrendMicro Vulnerability in VSAPI ARJ parsing could allow Remote Code execution
From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: Wed, 2 Mar 2005 22:16:23 -0500
Vulnerability Identifier: CAN-2005-0533
Discovery Date: Feb 23, 2005
This vulnerability exists in the ARJ archive file format parser.
The ARJ archive file format is too flexible, especially in the file name field in the local
header. This file name is stored as a null-terminated string and limited only by the overall
size of the local header (local header size is stored as a 16-bit value and is limited to
2,600 bytes only).
If the file name exceeds the maximum allocated size, the VSAPI scan engine still copies this
file name into a 512-byte buffer, overwriting the succeeding data structure. One of the
fields in the said data structure is a pointer to another data stucture. The next
instruction after the copying of the file name is an assignment instruction to a member of
the structure that is referred to by the overwritten pointer. The said routine causes an
illegal memory access.
Thus, it is possible to create a specially-crafted ARJ archive file that overwrites data
after the allocated 512-byte buffer. This specially-crafted file could possibly execute an
The ISS advisory can be seen here: http://xforce.iss.net/xforce/alerts/id/189 "