TrendMicro Vulnerability in VSAPI ARJ parsing could allow Remote Code execution

From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 03/03/05

  • Next message: winged: "Re: Logging outgoing/incomming address'"
    Date: Wed, 2 Mar 2005 22:16:23 -0500
    
    

    Vulnerability Identifier: CAN-2005-0533
    Discovery Date: Feb 23, 2005
    Risk: Critical

    "Description:

    This vulnerability exists in the ARJ archive file format parser.

    The ARJ archive file format is too flexible, especially in the file name field in the local
    header. This file name is stored as a null-terminated string and limited only by the overall
    size of the local header (local header size is stored as a 16-bit value and is limited to
    2,600 bytes only).

    If the file name exceeds the maximum allocated size, the VSAPI scan engine still copies this
    file name into a 512-byte buffer, overwriting the succeeding data structure. One of the
    fields in the said data structure is a pointer to another data stucture. The next
    instruction after the copying of the file name is an assignment instruction to a member of
    the structure that is referred to by the overwritten pointer. The said routine causes an
    illegal memory access.

    Thus, it is possible to create a specially-crafted ARJ archive file that overwrites data
    after the allocated 512-byte buffer. This specially-crafted file could possibly execute an
    arbitrary code.

    The ISS advisory can be seen here: http://xforce.iss.net/xforce/alerts/id/189 "

    http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+VSAPI+ARJ+parsing+could+allow+Remote+Code+execution

    -- 
    Dave
    

  • Next message: winged: "Re: Logging outgoing/incomming address'"

    Relevant Pages