Computer Security - TrendMicro Vulnerability in VSAPI ARJ parsing could allow Remote Code execution

03-03-2005, 03:16 AM

Vulnerability Identifier: CAN-2005-0533
Discovery Date: Feb 23, 2005
Risk: Critical

"Description:

This vulnerability exists in the ARJ archive file format parser.

The ARJ archive file format is too flexible, especially in the file name field in the local
header. This file name is stored as a null-terminated string and limited only by the overall
size of the local header (local header size is stored as a 16-bit value and is limited to
2,600 bytes only).

If the file name exceeds the maximum allocated size, the VSAPI scan engine still copies this
file name into a 512-byte buffer, overwriting the succeeding data structure. One of the
fields in the said data structure is a pointer to another data stucture. The next
instruction after the copying of the file name is an assignment instruction to a member of
the structure that is referred to by the overwritten pointer. The said routine causes an
illegal memory access.

Thus, it is possible to create a specially-crafted ARJ archive file that overwrites data
after the allocated 512-byte buffer. This specially-crafted file could possibly execute an
arbitrary code.

The ISS advisory can be seen here: http://xforce.iss.net/xforce/alerts/id/189 "

http://www.trendmicro.com/vinfo/seca...Code+execution

--
Dave

David H. Lipman

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Computer Security	aldrich.chappel.com.use@gmail.com	A+ Certification	0	11-27-2007 02:11 AM
Remote Control Code for Magnavox MSD124 ?	nr	DVD Video	1	04-07-2007 06:03 AM
Remote control code	dave@bowsy.co.uk	DVD Video	1	08-06-2006 01:19 PM
Code for RDR-HXD710 for Sony Universal Remote RM-AV2100	paul.cornet@gmail.com	DVD Video	1	10-23-2005 09:52 AM

03-03-2005, 03:16 AM	#1
	TrendMicro Vulnerability in VSAPI ARJ parsing could allow Remote Code execution Vulnerability Identifier: CAN-2005-0533 Discovery Date: Feb 23, 2005 Risk: Critical "Description: This vulnerability exists in the ARJ archive file format parser. The ARJ archive file format is too flexible, especially in the file name field in the local header. This file name is stored as a null-terminated string and limited only by the overall size of the local header (local header size is stored as a 16-bit value and is limited to 2,600 bytes only). If the file name exceeds the maximum allocated size, the VSAPI scan engine still copies this file name into a 512-byte buffer, overwriting the succeeding data structure. One of the fields in the said data structure is a pointer to another data stucture. The next instruction after the copying of the file name is an assignment instruction to a member of the structure that is referred to by the overwritten pointer. The said routine causes an illegal memory access. Thus, it is possible to create a specially-crafted ARJ archive file that overwrites data after the allocated 512-byte buffer. This specially-crafted file could possibly execute an arbitrary code. The ISS advisory can be seen here: http://xforce.iss.net/xforce/alerts/id/189 " http://www.trendmicro.com/vinfo/seca...Code+execution -- Dave David H. Lipman