VULNERABILITIES - December 20, 2005

TITLE:
Symantec AntiVirus RAR Archive Decompression Buffer Overflow

SECUNIA ADVISORY ID:
SA18131

VERIFY ADVISORY:
http://secunia.com/advisories/18131/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Symantec AntiVirus Corporate Edition 10.x
http://secunia.com/product/5555/
Symantec AntiVirus Corporate Edition 8.x
http://secunia.com/product/659/
Symantec AntiVirus Corporate Edition 9.x
http://secunia.com/product/3549/
Symantec AntiVirus for Caching 4.x
http://secunia.com/product/4626/
Symantec AntiVirus for Network Attached Storage 4.x
http://secunia.com/product/4625/
Symantec AntiVirus for SMTP Gateways 3.x
http://secunia.com/product/2231/
Symantec AntiVirus Scan Engine 4.x
http://secunia.com/product/3040/
Symantec AntiVirus/Filtering for Domino 3.x
http://secunia.com/product/2029/
Symantec Brightmail AntiSpam 4.x
http://secunia.com/product/4627/
Symantec Brightmail AntiSpam 5.x
http://secunia.com/product/4628/
Symantec Brightmail AntiSpam 6.x
http://secunia.com/product/3656/
Symantec Client Security 1.x
http://secunia.com/product/2344/
Symantec Client Security 2.x
http://secunia.com/product/3478/
Symantec Mail Security for Domino 4.x
http://secunia.com/product/4624/
Symantec Mail Security for Exchange 4.x
http://secunia.com/product/2820/
Symantec Mail Security for SMTP 4.x
http://secunia.com/product/3558/
Symantec Norton AntiVirus 2001
http://secunia.com/product/221/
Symantec Norton AntiVirus 2002
http://secunia.com/product/846/
Symantec Norton AntiVirus 2003
http://secunia.com/product/175/
Symantec Norton AntiVirus 2004
http://secunia.com/product/2800/
Symantec Norton AntiVirus 2005
http://secunia.com/product/4009/
Symantec Norton AntiVirus 5
http://secunia.com/product/848/
Symantec Norton AntiVirus 5.0 for OS/2
http://secunia.com/product/172/
Symantec Norton AntiVirus Corporate Edition 7.x
http://secunia.com/product/643/
Symantec Norton AntiVirus for Macintosh 10.x
http://secunia.com/product/5949/
Symantec Norton AntiVirus for Macintosh 9.x
http://secunia.com/product/5948/
Symantec Norton AntiVirus for Microsoft Exchange 2.x
http://secunia.com/product/1017/
Symantec Norton AntiVirus for Microsoft Exchange 3.x
http://secunia.com/product/1018/
Symantec Norton AntiVirus Solution 7.5
http://secunia.com/product/173/
Symantec Norton Internet Security 2001
http://secunia.com/product/2802/
Symantec Norton Internet Security 2002
http://secunia.com/product/2801/
Symantec Norton Internet Security 2003
http://secunia.com/product/969/
Symantec Norton Internet Security 2003 Professional
http://secunia.com/product/970/
Symantec Norton Internet Security 2004
http://secunia.com/product/2441/
Symantec Norton Internet Security 2004 Professional
http://secunia.com/product/2442/
Symantec Norton Internet Security 2005
http://secunia.com/product/4848/
Symantec Norton Internet Security for Macintosh 3.x
http://secunia.com/product/5951/
Symantec Web Security 2.x
http://secunia.com/product/2812/
Symantec Web Security 3.x
http://secunia.com/product/2813/

DESCRIPTION:
Alex Wheeler has reported a vulnerability in Symantec AntiVirus,
which potentially can be exploited by malicious people to compromise
a vulnerable system.

The vulnerability is caused due to a boundary error in Dec2Rar.dll
when copying data based on the length field in the sub-block headers
of a RAR archive. This can be exploited to cause a heap-based buffer
overflow and may allow arbitrary code execution when a malicious RAR
archive is scanned.

The vulnerability has been reported in Dec2Rar.dll version 3.2.14.3
and potentially affects all Symantec products that use the DLL.

SOLUTION:
Filter RAR archives at email or proxy gateways.

PROVIDED AND/OR DISCOVERED BY:
Alex Wheeler

ORIGINAL ADVISORY:
http://www.rem0te.com/public/images/symc2.pdf