Antivirusna kompanija Trend Micro izvestila je o postojanju kritičnog
propusta u antivirusnoj biblioteci (AntiVirus Library) koja se koristi uz
softverske proizvode kompanije.

Pored davalaca Internet usluga i korisnika Hotmaila, na primer, antivirusnu
biblioteku upotrebljavaju i bezbednosni proizvodi drugih kompanija koje
koriste licencirani softver kompanije Trend Micro.

Propust se ogleda u načinu rukovanja datotekama arhiviranim u formatu ARJ. U
saopštenju kompanije Trend Micro kaže se da je pod određenim okolnostima
moguće slanjem posebne datoteke u formatu ARJ obrisati podatke iz biblioteke
ili pokrenuti zlonameran program. U nekim slučajevima, kod virusa se nalazi
u arhivi tako da se jako teško otkriva.

Propust su otkrili stručnjaci kompanije Internet Security Systems, koji su
pre petnaestak dana otkrili i sličan propust u antivirusnoj biblioteci koju
koristi veliki broj proizvoda kompanije Symantec. (G.B.)

----------- Dopuna: 01 Mar 2005 4:06 ---------

Vulnerability Identifier: CAN-2005-0533
Discovery Date: Feb 23, 2005
Risk: Critical
Affected Software:

* Trend Micro Client / Server / Messaging Suite for SMB for Windows
* Trend Micro Client / Server Suite for SMB for Windows
* Trend Micro InterScan eManager
* Trend Micro InterScan Messaging Security Suite for Linux
* Trend Micro InterScan Messaging Security Suite for Solaris
* Trend Micro InterScan Messaging Security Suite for Windows
* Trend Micro InterScan VirusWall for AIX
* Trend Micro InterScan VirusWall for HP-UX
* Trend Micro InterScan VirusWall for Linux
* Trend Micro InterScan VirusWall for SMB
* Trend Micro InterScan VirusWall for Solaris
* Trend Micro InterScan VirusWall for Windows
* Trend Micro InterScan Web Security Suite for Linux
* Trend Micro InterScan Web Security Suite for Solaris
* Trend Micro InterScan Web Security Suite for Windows
* Trend Micro InterScan WebManager
* Trend Micro InterScan WebProtect for ISA
* Trend Micro OfficeScan Corp. Edition
* Trend Micro PC-cillin Internet Security
* Trend Micro PortalProtect for SharePoint
* Trend Micro ScanMail eManager
* Trend Micro ScanMail for Lotus Domino on AIX
* Trend Micro ScanMail for Lotus Domino on AS/400
* Trend Micro ScanMail for Lotus Domino on S/390
* Trend Micro ScanMail for Lotus Domino on Solaris
* Trend Micro ScanMail for Lotus Domino on Windows
* Trend Micro ScanMail for Microsoft Exchange
* Trend Micro ServerProtect for Linux
* Trend Micro ServerProtect for Windows

Description:

This vulnerability exists in the ARJ archive file format parser.

The ARJ archive file format is too flexible, especially in the file name field in the local header. This file name is stored as a null-terminated string and limited only by the overall size of the local header (local header size is stored as a 16-bit value and is limited to 2,600 bytes only).

If the file name exceeds the maximum allocated size, the VSAPI scan engine still copies this file name into a 512-byte buffer, overwriting the succeeding data structure. One of the fields in the said data structure is a pointer to another data stucture. The next instruction after the copying of the file name is an assignment instruction to a member of the structure that is referred to by the overwritten pointer. The said routine causes an illegal memory access.

Thus, it is possible to create a specially-crafted ARJ archive file that overwrites data after the allocated 512-byte buffer. This specially-crafted file could possibly execute an arbitrary code.

The ISS advisory can be seen here:

http://xforce.iss.net/xforce/alerts/id/189

Mitigating Factors

Under normal circumstances, the operating system restricts the length of file names. Thus, an attacker who wishes to trigger this vulnerability would have to create a specially-crafted ARJ archive file, which requires ARJ file format knowledge and file manipulation skills.

Solution

Upgrade your scan engine to VSAPI 7.510 or higher. For your specific product, click here.

Credits

Trend Micro acknowledges ISS X-Force's Alex Wheeler for bringing this issue to our attention.