Symantec AntiVirus Library RAR parsing multiple buffer overflows
| symantec-rar-multiple-bo (23705) |  High Risk |
Description:
Multiple Symantec gateway, server, and client AntiVirus products that use the Symantec AntiVirus Library could allow a remote attacker to gain complete control of the system, caused by multiple heap-based buffer overflow vulnerabilities in the Dec2Rar.dll module, which parses RAR files. By creating a specially-crafted RAR file and sending it to an affected system in an email or over other common protocols, a remote attacker could overflow a buffer and execute arbitrary code on the system once the malicious RAR file is parsed. If successfully exploited, an attacker can gain complete control of the system running the AntiVirus engine, as well as any system the AntiVirus engine protects.
Consequences:
Gain Access
Remedy:
Refer to Symantec Security Advisory SYM05-027 for upgrade information. See References.
References:
- Full-Disclosure Mailing List, Tue Dec 20 2005 - 07:58:55 CST: Symantec Antivirus Library Remote Heap Overflows.
- Internet Security Systems Protection Alert December 22, 2005: Symantec RAR File Parser Remote Heap Overflow.
- Symantec Security Response SYM05-027: Symantec AntiVirus Decomposition Buffer Overflow.
- BID-15971: Symantec Antivirus Library RAR Decompression Heap Overflow Vulnerabilities
- CVE-2005-4438: Heap-based buffer overflow in Dec2Rar.dll 3.2.14.3, as distributed in the Symantec Antivirus Library and used by various Symantec products, allows remote attackers to execute arbitrary code via RAR archives with sub-block headers that contain incorrect values in the length field.
- SA18131: Symantec AntiVirus RAR Archive Decompression Buffer Overflow
- SECTRACK ID: 1015384: Symantec Anti Virus Library Buffer Overflows in Processing RAR Format Sub-Block Header Length Values Let Remote Users Execute Arbitrary Code
- US-CERT VU#305272: Symantec RAR decompression library contains multiple heap overflows
- VUPEN/ADV-2005-3003: Symantec AntiVirus RAR Archive Handling Buffer Overflow Vulnerability
Platforms Affected:
- Symantec AntiVirus Scan Engine
Reported:
Dec 20, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net