Antivirus ARJ archive buffer overflow

arj-archive-long-filename-detected (19140)

High Risk

Description:

F-Secure and Trend Micro Antivirus products are vulnerable to a buffer overflow, caused by improper bounds checking when handling ARJ archives. If archive scanning is enabled, a remote attacker could create a specially-crafted ARJ archive to overflow a buffer and execute arbitrary code on the system, once the malicious archive is scanned.

Platforms Affected:

• F-Secure, Anti-Virus 2004
• F-Secure, Anti-Virus 2005
• F-Secure, Anti-Virus Client Security 5.01 and prior
• F-Secure, Anti-Virus Client Security 5.55 and prior
• F-Secure, Anti-Virus for Citrix Servers 5.50
• F-Secure, Anti-Virus for Firewalls 6.20 and prior
• F-Secure, Anti-Virus for Linux Gateways 4.61 and prior
• F-Secure, Anti-Virus for Linux Servers 4.61 and prior
• F-Secure, Anti-Virus for Linux WS 4.52 and prior
• F-Secure, Anti-Virus for MIMEsweeper 5.51 and prior
• F-Secure, Anti-Virus for MS Exchange 6.31 and prior
• F-Secure, Anti-Virus for Samba Servers 4.60
• F-Secure, Anti-Virus for Windows Servers 5.50 and prior
• F-Secure, Anti-Virus for Workstation 5.43 and prior
• F-Secure, Anti-Virus Linux Server Sec 5.01 and prior
• F-Secure, Internet Gatekeeper 6.41 and prior
• F-Secure, Internet Gatekeeper for Linux 2.06
• F-Secure, Internet Security 2004
• Trend Micro, Client Server Messaging Suite SMB for Windows
• Trend Micro, Client Server Suite SMB for Windows
• Trend Micro, InterScan eManager
• Trend Micro, InterScan Messaging Security 3.1 Build 1027
• Trend Micro, InterScan Messaging Security Linux
• Trend Micro, InterScan Messaging Security Solaris
• Trend Micro, InterScan Messaging Security Windows
• Trend Micro, InterScan VirusWall 3.8 Build 1130
• Trend Micro, InterScan VirusWall AIX
• Trend Micro, InterScan VirusWall HP-UX
• Trend Micro, InterScan VirusWall Linux
• Trend Micro, InterScan VirusWall SMB
• Trend Micro, InterScan VirusWall Solaris
• Trend Micro, InterScan VirusWall Windows
• Trend Micro, InterScan Web Security Suite Linux
• Trend Micro, InterScan Web Security Suite Solaris
• Trend Micro, InterScan Web Security Suite Windows
• Trend Micro, InterScan WebManager
• Trend Micro, InterScan WebProtect for ISA
• Trend Micro, OfficeScan Corp. Edition
• Trend Micro, PC-cillin Internet Security
• Trend Micro, PortalProtect for Sharepoint
• Trend Micro, ScanMail eManager
• Trend Micro, ScanMail Microsoft Exchange
• Trend Micro, ScanMail for Domino AIX
• Trend Micro, ScanMail for Domino Solaris
• Trend Micro, ScanMail for Domino AS 400
• Trend Micro, ScanMail for Domino S 390
• Trend Micro, ScanMail for Domino Windows
• Trend Micro, ServerProtect Windows
• Trend Micro, ServerProtect Linux
• Trend Micro, ServerProtect Netware

Remedy:

Install the appropriate hotfix or upgrade to the latest version, as listed in F-Secure Security Bulletin FSC-2005-1. See References.

Consequences:

Gain Access

References:

• F-Secure Security Bulletin FSC-2005-1, Code execution vulnerability in ARJ-archive handling at http://www.f-secure.com/security/fsc-2005-1.shtml.
• Internet Security Systems Protection Advisory February 10, 2005, F-Secure AntiVirus Library Heap Overflow at http://xforce.iss.net/xforce/alerts/id/188.
• Trend, ARJ Software, Inc. at http://www.arjsoftware.com/.
• Trend Micro Web site, Vulnerability in VSAPI ARJ parsing could allow Remote Code execution at http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+VSAPI+ARJ+parsing+could+allow+Remote+Code+execution.
• BID-12515: F-Secure ARJ Handling Buffer Overflow Vulnerability
• BID-12643: Trend Micro VSAPI ARJ Handling Heap Overflow Vulnerability
• CVE-2005-0350: Heap-based buffer overflow in multiple F-Secure Anti-Virus and Internet Security products allows remote attackers to execute arbitrary code via a crafted ARJ archive.
• CVE-2005-0533: Heap-based buffer overflow in Trend Micro AntiVirus Library VSAPI before 7.510, as used in multiple Trend Micro products, allows remote attackers to execute arbitrary code via a crafted ARJ file with long header file names that modify pointers within a structure.
• SA14216: F-Secure Multiple Products ARJ Archive Handling Vulnerability
• SA14396: Trend Micro Products AntiVirus Library Buffer Overflow
• SECTRACK ID: 1013143: F-Secure Anti-Virus Buffer Overflow in Processing ARJ Archives Lets Remote Users Execute Arbitrary Code
• SECTRACK ID: 1013289: TrendMicro OfficeScan Buffer Overflow in ARJ Parser Lets Remote Users Execute Arbitrary Code
• SECTRACK ID: 1013290: TrendMicro PC-cillin Buffer Overflow in ARJ Parser Lets Remote Users Execute Arbitrary Code
• VUPEN/ADV-2005-0141: F-Secure Antivirus Products ARJ archives Processing Vulnerability

Reported:

Feb 10, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page