The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability note CVE-2006-5645 CVE-2006-6458

Antivirus: infinite loop via a RAR archive

Synthesis of the vulnerability

An attacker can create a malicious RAR archive in order to generate an infinite loop in some antivirus.
Vulnerable products: CA Antivirus, e-Trust Antivirus, Sophos AV, TrendMicro Internet Security.
Severity of this weakness: 2/4.
Consequences of an attack: denial of service on service.
Hacker's origin: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 11/12/2006.
Références of this bulletin: 7609, BID-21509, CAID 35525, CAID 35526, CVE-2006-5645, CVE-2006-6458, CVE-2007-5645-ERROR, iDefense Security Advisory 12.08.06, VIGILANCE-VUL-6384.

Description of the vulnerability

The RAR format is composed of successive headers and data sections.

The "Archive Header" section is the main header of the file. The "head_size" field indicates size of this header and the "pack_size" header indicates the compressed size.

When "head_size" and "pack_size" fields are set to zero, archive is invalid. However, some antivirus enter an infinite loop trying to read data.

Antivirus identified as vulnerable are:
 - CA Anti-Virus
 - Sophos Small business edition (Windows/Linux) 4.06.1 (engine version 2.34.3)
 - Trend Micro Office Scan 7.3
 - Trend Micro PC Cillin - Internet Security 2006
 - Trend Micro Server Protect 5.58
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a system vulnerability patch. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.