The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Antivirus: infinite loop via a RAR archive

Synthesis of the vulnerability

An attacker can create a malicious RAR archive in order to generate an infinite loop in some antivirus.
Severity of this weakness: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 11/12/2006.
Références of this bulletin: 7609, BID-21509, CAID 35525, CAID 35526, CVE-2006-5645, CVE-2006-6458, CVE-2007-5645-ERROR, iDefense Security Advisory 12.08.06, VIGILANCE-VUL-6384.

Description of the vulnerability

The RAR format is composed of successive headers and data sections.

The "Archive Header" section is the main header of the file. The "head_size" field indicates size of this header and the "pack_size" header indicates the compressed size.

When "head_size" and "pack_size" fields are set to zero, archive is invalid. However, some antivirus enter an infinite loop trying to read data.

Antivirus identified as vulnerable are:
 - CA Anti-Virus
 - Sophos Small business edition (Windows/Linux) 4.06.1 (engine version 2.34.3)
 - Trend Micro Office Scan 7.3
 - Trend Micro PC Cillin - Internet Security 2006
 - Trend Micro Server Protect 5.58
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability bulletin impacts software or systems such as CA Antivirus, e-Trust Antivirus, Sophos AV, TrendMicro Internet Security.

Our Vigil@nce team determined that the severity of this security note is medium.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 3 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this cybersecurity note.

Solutions for this threat

Computer Associates AV: patch for CHM and RAR.
A patch is indicated in CA's announce.

Sophos Anti-Virus: version.
Sophos's document contains two tables indicating corrected versions.

Trend Micro: version 8.150.
Version 8.150 (HPUX, AIX) is corrected.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a cybersecurity workaround. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.