Antivirus ARJ archive buffer overflow

arj-archive-long-filename-detected (19140)

High Risk

Description:

F-Secure and Trend Micro Antivirus products are vulnerable to a buffer overflow, caused by improper bounds checking when handling ARJ archives. If archive scanning is enabled, a remote attacker could create a specially-crafted ARJ archive to overflow a buffer and execute arbitrary code on the system, once the malicious archive is scanned.

Platforms Affected:

• F-Secure, F-Secure Anti-Virus 2004
• F-Secure, F-Secure Anti-Virus 2005
• F-Secure, F-Secure Anti-Virus Client Security 5.01 and prior
• F-Secure, F-Secure Anti-Virus Client Security 5.55 and prior
• F-Secure, F-Secure Anti-Virus for Citrix Servers 5.50
• F-Secure, F-Secure Anti-Virus for Firewalls 6.20 and prior
• F-Secure, F-Secure Anti-Virus for Linux Gateways 4.61 and prior
• F-Secure, F-Secure Anti-Virus for Linux Servers 4.61 and prior
• F-Secure, F-Secure Anti-Virus for Linux WS 4.52 and prior
• F-Secure, F-Secure Anti-Virus for MIMEsweeper 5.51 and prior
• F-Secure, F-Secure Anti-Virus for MS Exchange 6.31 and prior
• F-Secure, F-Secure Anti-Virus for Samba Servers 4.60
• F-Secure, F-Secure Anti-Virus for Windows Servers 5.50 and prior
• F-Secure, F-Secure Anti-Virus for Workstation 5.43 and prior
• F-Secure, F-Secure Anti-Virus Linux Server Sec 5.01 and prior
• F-Secure, F-Secure Internet Gatekeeper 6.41 and prior
• F-Secure, F-Secure Internet Gatekeeper for Linux 2.06
• F-Secure, F-Secure Internet Security 2004
• TrendMicro, Trend Micro Client/Server Suite SMB for Windows
• TrendMicro, Trend Micro Client/Server/MessagingSuite SMB for Windows
• TrendMicro, Trend Micro InterScan eManager
• TrendMicro, Trend Micro InterScan Messaging Security 3.1 Build 1027
• TrendMicro, Trend Micro InterScan Messaging Security Linux
• TrendMicro, Trend Micro InterScan Messaging Security Solaris
• TrendMicro, Trend Micro InterScan Messaging Security Windows
• TrendMicro, Trend Micro InterScan VirusWall 3.8 Build 1130
• TrendMicro, Trend Micro InterScan VirusWall AIX
• TrendMicro, Trend Micro InterScan VirusWall HP-UX
• TrendMicro, Trend Micro InterScan VirusWall Linux
• TrendMicro, Trend Micro InterScan VirusWall SMB
• TrendMicro, Trend Micro InterScan VirusWall Solaris
• TrendMicro, Trend Micro InterScan VirusWall Windows
• TrendMicro, Trend Micro InterScan Web Security Suite Linux
• TrendMicro, Trend Micro InterScan Web Security Suite Solaris
• TrendMicro, Trend Micro InterScan Web Security Suite Windows
• TrendMicro, Trend Micro InterScan WebManager
• TrendMicro, Trend Micro InterScan WebProtect for ISA
• TrendMicro, Trend Micro OfficeScan Corp. Edition
• TrendMicro, Trend Micro PC-cillin Internet Security
• TrendMicro, Trend Micro PortalProtect for Sharepoint
• TrendMicro, Trend Micro ScanMail eManager
• TrendMicro, Trend Micro ScanMail Microsoft Exchange
• TrendMicro, Trend Micro ScanMail for Domino AIX
• TrendMicro, Trend Micro ScanMail for Domino AS/400
• TrendMicro, Trend Micro ScanMail for Domino S/390
• TrendMicro, Trend Micro ScanMail for Domino Solaris
• TrendMicro, Trend Micro ScanMail for Domino Windows
• TrendMicro, Trend Micro ServerProtect Linux
• TrendMicro, Trend Micro ServerProtect Win/Novell Netware
• TrendMicro, Trend Micro ServerProtect Win/Novell Windows

Remedy:

Install the appropriate hotfix or upgrade to the latest version, as listed in F-Secure Security Bulletin FSC-2005-1. See References.

Consequences:

Gain Access

References:

• F-Secure Security Bulletin FSC-2005-1, Code execution vulnerability in ARJ-archive handling at http://www.f-secure.com/security/fsc-2005-1.shtml.
• Internet Security Systems Protection Advisory February 10, 2005, F-Secure AntiVirus Library Heap Overflow at http://xforce.iss.net/xforce/alerts/id/188.
• Trend, ARJ Software, Inc. at http://www.arjsoftware.com/.
• Trend Micro Web site, Vulnerability in VSAPI ARJ parsing could allow Remote Code execution at http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+VSAPI+ARJ+parsing+could+allow+Remote+Code+execution.
• BID-12515: F-Secure ARJ Handling Buffer Overflow Vulnerability
• BID-12643: Trend Micro VSAPI ARJ Handling Heap Overflow Vulnerability
• CVE-2005-0350: Heap-based buffer overflow in multiple F-Secure Anti-Virus and Internet Security products allows remote attackers to execute arbitrary code via a crafted ARJ archive.
• CVE-2005-0533: Heap-based buffer overflow in Trend Micro AntiVirus Library VSAPI before 7.510, as used in multiple Trend Micro products, allows remote attackers to execute arbitrary code via a crafted ARJ file with long header file names that modify pointers within a structure.
• FrSIRT/ADV-2005-0141: F-Secure Antivirus Products ARJ archives Processing Vulnerability
• SA14216: F-Secure Multiple Products ARJ Archive Handling Vulnerability
• SA14396: Trend Micro Products AntiVirus Library Buffer Overflow
• SECTRACK ID: 1013143: F-Secure Anti-Virus Buffer Overflow in Processing ARJ Archives Lets Remote Users Execute Arbitrary Code
• SECTRACK ID: 1013289: TrendMicro OfficeScan Buffer Overflow in ARJ Parser Lets Remote Users Execute Arbitrary Code
• SECTRACK ID: 1013290: TrendMicro PC-cillin Buffer Overflow in ARJ Parser Lets Remote Users Execute Arbitrary Code

Reported:

Feb 10, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page