Description:
This vulnerability exists in the ARJ archive file format parser. Affected software (refer to the list above) include only those Trend Micro products that use a Scan Engine version prior to VSAPI 7.510.
The ARJ archive file format is too flexible, especially in the file name field in the local header. This file name is stored as a null-terminated string and limited only by the overall size of the local header (local header size is stored as a 16-bit value and is limited to 2,600 bytes only).
If the file name exceeds the maximum allocated size, the VSAPI scan engine still copies this file name into a 512-byte buffer, overwriting the succeeding data structure. One of the fields in the said data structure is a pointer to another data stucture. The next instruction after the copying of the file name is an assignment instruction to a member of the structure that is referred to by the overwritten pointer. The said routine causes an illegal memory access.
Thus, it is possible to create a specially-crafted ARJ archive file that overwrites data after the allocated 512-byte buffer. This specially-crafted file could possibly execute an arbitrary code.
The ISS advisory can be seen here:
Mitigating Factors
Under normal circumstances, the operating system restricts the length of file names. Thus, an attacker who wishes to trigger this vulnerability would have to create a specially-crafted ARJ archive file, which requires ARJ file format knowledge and file manipulation skills.
Solution
IMPORTANT: Affected software include only those Trend Micro products that use a Scan Engine version prior to VSAPI 7.510.
Upgrade your scan engine to VSAPI 7.510 or higher. For your specific product, click here.
Credits
Trend Micro acknowledges ISS X-Force's Alex Wheeler for bringing this issue to our attention. | 
Save & Share
