ID CVE-2012-6706
Summary A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products, that can lead to arbitrary code execution. An integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the "DestPos" variable, which allows the attacker to write out of bounds when setting Mem[DestPos].
References
Vulnerable Configurations
  • cpe:2.3:a:sophos:threat_detection_engine:3.36.2
    cpe:2.3:a:sophos:threat_detection_engine:3.36.2
  • cpe:2.3:a:rarlab:unrar:5.5.4
    cpe:2.3:a:rarlab:unrar:5.5.4
CVSS
Base: 10.0
Impact:
Exploitability:
CWE CWE-190
CAPEC
  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
exploit-db via4
description Microsoft Windows Defender - 'mpengine.dll' Memory Corruption. CVE-2018-0986. Dos exploit for Windows platform
file exploits/windows/dos/44402.txt
id EDB-ID:44402
last seen 2018-05-24
modified 2018-04-05
platform windows
port
published 2018-04-05
reporter Exploit-DB
source https://www.exploit-db.com/download/44402/
title Microsoft Windows Defender - 'mpengine.dll' Memory Corruption
type dos
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201709-24.NASL
    description The remote host is affected by the vulnerability described in GLSA-201709-24 (RAR, UnRAR: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in RAR and UnRAR. Please review the referenced CVE identifiers for details. Impact : A remote attacker, by enticing a user to open a specially crafted RAR, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 103463
    published 2017-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103463
    title GLSA-201709-24 : RAR, UnRAR: Multiple vulnerabilities
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201710-21.NASL
    description The remote host is affected by the vulnerability described in GLSA-201710-21 (Kodi: Arbitrary code execution) Kodi is vulnerable due to shipping with an embedded version of UnRAR. Please review the referenced CVE identifier for details. Impact : A remote attacker, by enticing a user to process a specifically crafted RAR file, could execute arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-06-07
    plugin id 104064
    published 2017-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104064
    title GLSA-201710-21 : Kodi: Arbitrary code execution
  • NASL family Misc.
    NASL id MCAFEE_WEB_GATEWAY_SB10205.NASL
    description The remote host is running a version of McAfee Web Gateway (MWG) that is affected by multiple security vulnerabilities : - A memory corruption flaw exists in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products that allows remote attackers to execute arbitrary code. (CVE-2012-6706) - A memory corruption flaw exists in Linux Kernel versions 4.11.5 and earlier that allows remote attacks to execute arbitrary code with elevated privileges.(CVE-2017-1000364) - A memory corruption flaw exists in the handling of LD_LIBRARY_PATH that allows a remote attacker to manipulate the heap/stack that may lead to arbitrary code execution. This issue only affects GNU glibc 2.25 and prior. (CVE-2017-1000366) - An input validation flaw exists in Todd Miller's sudo version 1.8.20p1 and earlier that results in information disclosure and arbitrary command execution. (CVE-2017-1000368)
    last seen 2019-02-21
    modified 2018-07-13
    plugin id 102496
    published 2017-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102496
    title McAfee Web Gateway 7.6.x < 7.6.2.15 / 7.7.x < 7.7.2.3 Multiple Vulnerabilities (SB10205)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1716-1.NASL
    description This update for clamav fixes the following issues: Security issue fixed : - CVE-2012-6706: Fixed an arbitrary memory write in VMSF_DELTA filter in libclamunrar (bsc#1045490) Non security issues fixed : - Provide and obsolete clamav-nodb to trigger its removal in openSUSE Leap. (bsc#1040662) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 101143
    published 2017-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101143
    title SUSE SLED12 / SLES12 Security Update : clamav (SUSE-SU-2017:1716-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1745-1.NASL
    description This update for unrar fixes the following issues : - CVE-2012-6706: decoding malicious RAR files could have lead to memory corruption or code execution. (bsc#1045315). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 101204
    published 2017-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101204
    title SUSE SLED12 / SLES12 Security Update : unrar (SUSE-SU-2017:1745-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201708-05.NASL
    description The remote host is affected by the vulnerability described in GLSA-201708-05 (RAR and UnRAR: User-assisted execution of arbitrary code) A VMSF_DELTA memory corruption was discovered in which an integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the “DestPos” variable which allows writing out of bounds when setting Mem[DestPos]. Impact : A remote attacker, by enticing a user to open a specially crafted archive, could execute arbitrary code with the privileges of the process. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 102617
    published 2017-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102617
    title GLSA-201708-05 : RAR and UnRAR: User-assisted execution of arbitrary code
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-724.NASL
    description This update for unrar to version 5.5 fixes the following issues : Version 5.5.5 - CVE-2012-6706: fixes VMSF_DELTA memory corruption (boo#1045315) see https://bugs.chromium.org/p/project-zero/issues/detail?i d=1286&can=1&q=unrar&desc=2 Version 5.5.1 - Based on RAR 5.50 beta1 - Added extraction support for .LZ archives created by Lzip compressor. - Modern TAR tools can store high precision file times, lengthy file names and large file sizes in special PAX extended headers inside of TAR archive. Now WinRAR supports such PAX headers and uses them when extracting TAR archives. - unrar no longer fails to unpack files in ZIP archives compressed with XZ algorithm and encrypted with AES Version 5.4.5. - Based on final RAR 5.40. - If RAR recovery volumes (.rev files) are present in the same folder as usual RAR volumes, archive test command verifies .rev contents after completing testing .rar files. If you wish to test only .rev files without checking .rar volumes, you can run: `unrar t arcname.part1.rev`. - If -p switch is used without optional parameter, a password can be also set with file redirection or pipe. - unrar treats 'arcname.partN' as 'arcname.partN.rar' if 'arcname.partN' does not exist and 'arcname.part#.rar' exists. For example, it is allowed to run: `unrar x arcname.part01` to start extraction from 'arcname.part01.rar'.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 103163
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103163
    title openSUSE Security Update : unrar (openSUSE-2017-724)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1763-1.NASL
    description This update for clamav fixes the following issues: Security issue fixed : - CVE-2012-6706: Fixed an arbitrary memory write in VMSF_DELTA filter in libclamunrar (bsc#1045490) Non security issue fixed : - Fix permissions of /var/spool/amavis. (bsc#815106) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 101222
    published 2017-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101222
    title SUSE SLES11 Security Update : clamav (SUSE-SU-2017:1763-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1003.NASL
    description It was reported that unrar fixed a VMSF_DELTA memory corruption issue in their latest version unrarsrc-5.5.5.tar.gz. This problem was reported to Sophos AV in 2012 but never reach upstream rar. For Debian 7 'Wheezy', these problems have been fixed in version 1:4.1.4-1+deb7u2. We recommend that you upgrade your unrar-nonfree packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 101065
    published 2017-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101065
    title Debian DLA-1003-1 : unrar-nonfree security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-779.NASL
    description This update for clamav fixes the following security issue : - CVE-2012-6706: Fixed an arbitrary memory write in VMSF_DELTA filter in libclamunrar (bsc#1045490) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 101277
    published 2017-07-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101277
    title openSUSE Security Update : clamav (openSUSE-2017-779)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0809-1.NASL
    description This update for clamav fixes the following issues: Security issues fixed : - CVE-2012-6706: VMSF_DELTA filter inside the unrar implementation allows an arbitrary memory write (bsc#1045315). - CVE-2017-6419: A heap-based buffer overflow that can lead to a denial of service in libmspack via a crafted CHM file (bsc#1052449). - CVE-2017-11423: A stack-based buffer over-read that can lead to a denial of service in mspack via a crafted CAB file (bsc#1049423). - CVE-2018-1000085: An out-of-bounds heap read vulnerability was found in XAR parser that can lead to a denial of service (bsc#1082858). - CVE-2018-0202: Fixed two vulnerabilities in the PDF parsing code (bsc#1083915). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 108652
    published 2018-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108652
    title SUSE SLED12 / SLES12 Security Update : clamav (SUSE-SU-2018:0809-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-D2B08AA37F.NASL
    description Update to 0.99.4 0.99.4 addresses a few outstanding vulnerability bugs. It includes fixes for : - CVE-2012-6706 - CVE-2017-6419 - CVE-2017-11423 - CVE-2018-1000085 There are also a few bug fixes that were not assigned CVE’s, but were important enough to address while we had the chance. One of these was the notorious file descriptor exhaustion bug that caused outages late last January. In addition to the above, 0.99.4 fixes : - CVE-2018-0202: Two newly reported vulnerabilities in the PDF parsing code. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-03-14
    plugin id 108311
    published 2018-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108311
    title Fedora 26 : clamav (2018-d2b08aa37f)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-314.NASL
    description This update for clamav fixes the following issues : Security issues fixed : - CVE-2012-6706: VMSF_DELTA filter inside the unrar implementation allows an arbitrary memory write (bsc#1045315). - CVE-2017-6419: A heap-based buffer overflow that can lead to a denial of service in libmspack via a crafted CHM file (bsc#1052449). - CVE-2017-11423: A stack-based buffer over-read that can lead to a denial of service in mspack via a crafted CAB file (bsc#1049423). - CVE-2018-1000085: An out-of-bounds heap read vulnerability was found in XAR parser that can lead to a denial of service (bsc#1082858). - CVE-2018-0202: Fixed two vulnerabilities in the PDF parsing code (bsc#1083915). This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-03-27
    plugin id 108637
    published 2018-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108637
    title openSUSE Security Update : clamav (openSUSE-2018-314)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1760-1.NASL
    description This update for unrar fixes the following issues : - CVE-2012-6706: decoding malicious RAR files could have lead to memory corruption or code execution. (bsc#1045315). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 101221
    published 2017-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101221
    title SUSE SLES11 Security Update : unrar (SUSE-SU-2017:1760-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201804-16.NASL
    description The remote host is affected by the vulnerability described in GLSA-201804-16 (ClamAV: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in ClamAV. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, through multiple vectors, could execute arbitrary code, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-06-07
    plugin id 109230
    published 2018-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109230
    title GLSA-201804-16 : ClamAV: Multiple vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-602B5345FA.NASL
    description Update to 0.99.4 0.99.4 addresses a few outstanding vulnerability bugs. It includes fixes for : - CVE-2012-6706 - CVE-2017-6419 - CVE-2017-11423 - CVE-2018-1000085 There are also a few bug fixes that were not assigned CVE’s, but were important enough to address while we had the chance. One of these was the notorious file descriptor exhaustion bug that caused outages late last January. In addition to the above, 0.99.4 fixes : - CVE-2018-0202: Two newly reported vulnerabilities in the PDF parsing code. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-03-07
    plugin id 107169
    published 2018-03-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107169
    title Fedora 27 : clamav (2018-602b5345fa)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0862-1.NASL
    description This update for unrar to version 5.6.1 fixes several issues. These security issues were fixed : - CVE-2017-12938: Prevent remote attackers to bypass a directory-traversal protection mechanism via vectors involving a symlink to the . directory, a symlink to the .. directory, and a regular file (bsc#1054038). - CVE-2017-12940: Prevent out-of-bounds read in the EncodeFileName::Decode call within the Archive::ReadHeader15 function (bsc#1054038). - CVE-2017-12941: Prevent an out-of-bounds read in the Unpack::Unpack20 function (bsc#1054038). - CVE-2017-12942: Prevent a buffer overflow in the Unpack::LongLZ function (bsc#1054038). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 108828
    published 2018-04-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108828
    title SUSE SLES11 Security Update : unrar (SUSE-SU-2018:0862-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0863-1.NASL
    description This update for clamav fixes the following issues: Security issues fixed : - CVE-2012-6706: VMSF_DELTA filter inside the unrar implementation allows an arbitrary memory write (bsc#1045315). - CVE-2017-6419: A heap-based buffer overflow that can lead to a denial of service in libmspack via a crafted CHM file (bsc#1052449). - CVE-2017-11423: A stack-based buffer over-read that can lead to a denial of service in mspack via a crafted CAB file (bsc#1049423). - CVE-2018-1000085: An out-of-bounds heap read vulnerability was found in XAR parser that can lead to a denial of service (bsc#1082858). - CVE-2018-0202: Fixed two vulnerabilities in the PDF parsing code (bsc#1083915). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 108829
    published 2018-04-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108829
    title SUSE SLES11 Security Update : clamav (SUSE-SU-2018:0863-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-976.NASL
    description Heap-based buffer overflow in mspack/lzxd.c mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file. (CVE-2017-6419) Out-of-bounds access in the PDF parser (CVE-2018-0202) A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products, that can lead to arbitrary code execution. An integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the 'DestPos' variable, which allows the attacker to write out of bounds when setting Mem[DestPos]. (CVE-2012-6706) ClamAV version version 0.99.3 contains a Out of bounds heap memory read vulnerability in XAR parser, function xar_hash_check() that can result in Leaking of memory, may help in developing exploit chains.. This attack appear to be exploitable via The victim must scan a crafted XAR file. (CVE-2018-1000085) Stack-based buffer over-read in cabd_read_string function The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2 and other products, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file. (CVE-2017-11423)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 108601
    published 2018-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108601
    title Amazon Linux AMI : clamav (ALAS-2018-976)
refmap via4
confirm https://kc.mcafee.com/corporate/index?page=content&id=SB10205
gentoo
  • GLSA-201708-05
  • GLSA-201709-24
  • GLSA-201804-16
misc
Last major update 22-06-2017 - 09:29
Published 22-06-2017 - 09:29
Last modified 21-10-2018 - 06:29
Back to Top