February 2005

ID: 00167
Ref: 150/2005
Date: 25 February 2005:09:28:57
Version: 1

---

Title: Trend Micro AntiVirus Library Heap Overflow
Abstract: Vulnerability in VSAPI ARJ parsing could allow Remote Code execution

---

Discovery Date: Feb 23, 2005
Risk: Critical

http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+VSAPI+ARJ+parsing+could+allow+Remote+Code+execution

Affected Software:
Trend Micro Client / Server / Messaging Suite for SMB for Windows
Trend Micro Client / Server Suite for SMB for Windows
Trend Micro InterScan eManager
Trend Micro InterScan Messaging Security Suite for Linux
Trend Micro InterScan Messaging Security Suite for Solaris
Trend Micro InterScan Messaging Security Suite for Windows
Trend Micro InterScan VirusWall for AIX
Trend Micro InterScan VirusWall for HP-UX
Trend Micro InterScan VirusWall for Linux
Trend Micro InterScan VirusWall for SMB
Trend Micro InterScan VirusWall for Solaris
Trend Micro InterScan VirusWall for Windows
Trend Micro InterScan Web Security Suite for Linux
Trend Micro InterScan Web Security Suite for Solaris
Trend Micro InterScan Web Security Suite for Windows
Trend Micro InterScan WebManager
Trend Micro InterScan WebProtect for ISA
Trend Micro OfficeScan Corp. Edition
Trend Micro PC-cillin Internet Security
Trend Micro PortalProtect for SharePoint
Trend Micro ScanMail eManager
Trend Micro ScanMail for Lotus Domino on AIX
Trend Micro ScanMail for Lotus Domino on AS/400
Trend Micro ScanMail for Lotus Domino on S/390
Trend Micro ScanMail for Lotus Domino on Solaris
Trend Micro ScanMail for Lotus Domino on Windows
Trend Micro ScanMail for Microsoft Exchange
Trend Micro ServerProtect for Linux
Trend Micro ServerProtect for Windows

Description:

This vulnerability exists in the ARJ archive file format parser.

The ARJ archive file format is too flexible especially in the file name
field in the local header. This file name is stored as a null-terminated
string and limited only by the overall size of the local header (local
header size is stored as a 16-bit value and is limited to 2,600 bytes only).

If the file name exceeds the maximum allocated size, the VSAPI scan
engine still copies this file name into a 512-byte buffer, overwriting
the succeeding data structure. One of the fields in the said data structure
is a pointer to another data stucture. The next instruction after the
copying of the file name is an assignment instruction to a member of the
structure that is referred to by the overwritten pointer. The said routine
causes an illegal memory access.

Thus, it is possible to create a specially-crafted ARJ archive file that
overwrites data after the allocated 512-byte buffer. This specially-crafted
file could possibly execute an arbitrary code.

The ISS advisory can be seen here:

http://xforce.iss.net/xforce/alerts/id/189

Mitigating Factors

Under normal circumstances, the operating system restricts the length of file
names. Thus, an attacker who wishes to trigger this vulnerability would have
to create a specially-crafted ARJ archive file, which requires ARJ file format
knowledge and file manipulation skills.

Solution

Upgrade your scan engine to VSAPI 7.510 or higher. For your specific product:
http://www.trendmicro.com/download/engine.asp

Credits

Trend Micro acknowledges ISS X-Force's Alex Wheeler for bringing this issue
to our attention.