Symantec Antivirus Rar Archive Decompression Buffer Overflow


Recommended Posts

Story published by Secunia

Source: Alex Wheeler

Alex Wheeler has reported a vulnerability in Symantec AntiVirus, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in Dec2Rar.dll when copying data based on the length field in the sub-block headers of a RAR archive. This can be exploited to cause a heap-based buffer overflow and may allow arbitrary code execution when a malicious RAR archive is scanned.

The vulnerability has been reported in Dec2Rar.dll version 3.2.14.3 and potentially affects all Symantec products that use the DLL.

Solution:

The vendor is current investigating the issue and working on an update. Refer to the original advisory of more information on the list of affected products.

An antivirus-based protection signature has been added on 2005-12-20 via LiveUpdate to detect potential exploits of the vulnerability.

Secunia Advisory

Edited by Brandon
Link to post
Share on other sites
Story published by Secunia

Source: Alex Wheeler

Alex Wheeler has reported a vulnerability in Symantec AntiVirus, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in Dec2Rar.dll when copying data based on the length field in the sub-block headers of a RAR archive. This can be exploited to cause a heap-based buffer overflow and may allow arbitrary code execution when a malicious RAR archive is scanned.

The vulnerability has been reported in Dec2Rar.dll version 3.2.14.3 and potentially affects all Symantec products that use the DLL.

Solution:

Filter RAR archives at email or proxy gateways.

Secunia Advisory

Glad to see they updated it to include

An antivirus-based protection signature has been added on 2005-12-20 via LiveUpdate to detect potential exploits of the vulnerability.

So the solution for now is to run live update.

Link to post
Share on other sites
  • 2 weeks later...

Updated 12/30/05

Here are some hotfixes for Gateway Security 1.0 and Gateway Security 5400 Series.

Symantec Brightmail AntiSpam 6.0.3 (keno-20051118-01):

Apply patch 164.

ftp://ftp.symantec.com/public/english_us_...es/patch164.zip

Symantec Gateway Security 1.0 (Model 5110):

http://www.symantec.com/techsupp/enterpris...5110/files.html

Symantec Gateway Security 1.0 (Model 5200/5300):

http://www.symantec.com/techsupp/enterpris...5300/files.html

Symantec Gateway Security 1.0 (Model 5310):

http://www.symantec.com/techsupp/enterpris...5310/files.html

Symantec Gateway Security 2.0.1 (Model 5400):

http://www.symantec.com/techsupp/enterpris...5400/files.html

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...