SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#968818

Anti-virus software may not properly scan malformed zip archives

Overview

Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive.

I. Description

Information about a zip archive, such as the size of the compressed data, is placed in headers within the archive. An attacker may be able to modify these headers to indicate that an archive contains files with sizes/lengths of zero. If anti-virus software relies on zip archive headers to determine archive validity, the anti-virus software may incorrectly interpret an archive with maliciously modified headers to contain zero-length files. Consequently, the anti-virus software would fail to detect the malicious content and allow the archive into the system.

Please note that a user may still have to extract the contents of the malicious archive to trigger exploitation.

II. Impact

A remote attacker may be able to craft a malicious zip archive that will evade detection by anti-virus software. Once in the system, if the remote attacker can persuade the user to accesses the malicious archive, the attacker may be able to execute arbitrary code on that user's system.

III. Solution

Consult Anti-Virus Vendors


Users are encouraged to contact their anti-virus vendors to determine if they are vulnerable and what corrective actions to take.

Systems Affected

VendorStatusDate NotifiedDate Updated
AKSUnknown9-Dec-2004
Check PointUnknown9-Dec-2004
CommandComUnknown9-Dec-2004
Computer AssociatesUnknown9-Dec-2004
CPANUnknown9-Dec-2004
CyberSoftUnknown9-Dec-2004
eset AntivirusUnknown9-Dec-2004
F-SecureUnknown9-Dec-2004
Finjan SoftwareUnknown9-Dec-2004
FortinetUnknown9-Dec-2004
KaperskyUnknown9-Dec-2004
McAfeeUnknown9-Dec-2004
MessageLabsUnknown9-Dec-2004
RAVUnknown9-Dec-2004
SophosUnknown9-Dec-2004
Symantec CorporationUnknown10-Dec-2004

References


http://www.linuxsecurity.com/advisories/gentoo_advisory-5043.html
http://rt.cpan.org/NoAuth/Bug.html?id=8077
http://www.idefense.com/application/poi/display?id=153

Credit

This vulnerability was publicly reported by iDefense.


Thanks to Dan Plakosh for providing information concerning this issue.

This document was written by Jeff Gennari.

Other Information

Date Public:2004-10-18
Date First Published:2004-12-10
Date Last Updated:2005-01-14
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:7.59
Document Revision:106

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader