SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#305272

Symantec RAR decompression library contains multiple heap overflows

Overview

The Symantec RAR decompression library Dec2RAR.dll contains multiple heap buffer overflows. Using a specially crafted RAR archive, a remote attacker could execute arbitrary code or cause a denial of service.

I. Description

Symantec AntiVirus and other security products use a library to decompress and scan inside RAR archives. This library, Dec2RAR.dll, contains multiple heap buffer overflows. A remote attacker could exploit these vulnerabilities by causing a Symantec product to scan a specially crafted RAR archive. The attacker could accomplish this in a number of ways including hosting the archive on a web site, sending it as an email attachment, or providing it on a file system or network share.

The vulnerable library exists in Symantec products that run on Microsoft Windows platforms and may be present in OEM versions or other software based on Symantec code. Please see Symantec AntiVirus Decomposition Buffer Overflow (SYM05-027) for further information, including a list of affected products.

II. Impact

A remote attacker could execute arbitrary code or cause a denial of service. Since many scanning processes run with Local System privileges, the attacker could take complete control of a vulnerable system.

III. Solution

Upgrade

Upgrade to a fixed version as specified in Symantec AntiVirus Decomposition Buffer Overflow (SYM05-027).

Disable RAR scanning

It may be possible to filter or disable scanning of RAR archives. See Symantec AntiVirus Decomposition Buffer Overflow (SYM05-027) and Symantec AntiVirus library .rar decompression heap overflow vulnerability: Recommendations to customers for details. Depending on how the filtering mechcanism and the Symantec product identify RAR archives, it may be insufficient to rely on the file extention (.rar). Also, disabling RAR or other archive file scanning will prevent Symantec products from detecting viruses or other malicious code in those files.

Systems Affected

VendorStatusDate NotifiedDate Updated
Symantec, Inc.Vulnerable24-Dec-2005

References


http://www.rem0te.com/public/images/symc2.pdf
http://securityresponse.symantec.com/avcenter/security/Content/2005.12.21b.html
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2005122213230354
http://www.securityfocus.com/archive/1/419853
http://secunia.com/advisories/18131/

Credit

This vulnerability was publicly reported by rem0te.com. The rem0te.com advisory credits Alex Wheeler.

This document was written by Art Manion.

Other Information

Date Public:2005-12-20
Date First Published:2005-12-21
Date Last Updated:2005-12-29
CERT Advisory: 
CVE-ID(s):CVE-2005-4438
NVD-ID(s):CVE-2005-4438
US-CERT Technical Alerts: 
Metric:21.26
Document Revision:10

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2005 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader