TrendMicro Vulnerability in VSAPI ARJ parsing could allow Remote Code execution

Discussion in 'Computer Security' started by David H. Lipman, Mar 3, 2005.

  1. Vulnerability Identifier: CAN-2005-0533
    Discovery Date: Feb 23, 2005
    Risk: Critical


    This vulnerability exists in the ARJ archive file format parser.

    The ARJ archive file format is too flexible, especially in the file name field in the local
    header. This file name is stored as a null-terminated string and limited only by the overall
    size of the local header (local header size is stored as a 16-bit value and is limited to
    2,600 bytes only).

    If the file name exceeds the maximum allocated size, the VSAPI scan engine still copies this
    file name into a 512-byte buffer, overwriting the succeeding data structure. One of the
    fields in the said data structure is a pointer to another data stucture. The next
    instruction after the copying of the file name is an assignment instruction to a member of
    the structure that is referred to by the overwritten pointer. The said routine causes an
    illegal memory access.

    Thus, it is possible to create a specially-crafted ARJ archive file that overwrites data
    after the allocated 512-byte buffer. This specially-crafted file could possibly execute an
    arbitrary code.

    The ISS advisory can be seen here: "
    David H. Lipman, Mar 3, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.