Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive.
Information about a zip archive, such as the size of the compressed data, is placed in headers within the archive. An attacker may be able to modify these headers to indicate that an archive contains files with sizes/lengths of zero. If anti-virus software relies on zip archive headers to determine archive validity, the anti-virus software may incorrectly interpret an archive with maliciously modified headers to contain zero-length files. Consequently, the anti-virus software would fail to detect the malicious content and allow the archive into the system.
Please note that a user may still have to extract the contents of the malicious archive to trigger exploitation.
A remote attacker may be able to craft a malicious zip archive that will evade detection by anti-virus software. Once in the system, if the remote attacker can persuade the user to accesses the malicious archive, the attacker may be able to execute arbitrary code on that user's system.
Consult Anti-Virus Vendors
This vulnerability was publicly reported by iDefense. Thanks to Dan Plakosh for providing information concerning this issue.
This document was written by Jeff Gennari.
|Date First Published:||2004-12-10|
|Date Last Updated:||2005-01-14 19:35 UTC|