Vulnerabilities > CVE-2004-0936

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

nessus

exploit available

NVD

Published: 2005-01-27

Updated: 2021-04-09

Summary

RAV antivirus allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.

Vulnerable Configurations

Part	Description	Count
Application	Archive_Zip Archive ZIP Archive ZIP 1.13	1
Application	Broadcom Broadcom Brightstor Arcserve Backup 11.1 Broadcom Etrust Antivirus 7.0 Broadcom Etrust Antivirus 7.1 Broadcom Etrust Antivirus Gateway 7.0 Broadcom Etrust Antivirus Gateway 7.1 Broadcom Etrust EZ Antivirus 6.1 Broadcom Etrust EZ Antivirus 6.2 Broadcom Etrust EZ Antivirus 6.3 Broadcom Etrust EZ Armor 2.0 Broadcom Etrust EZ Armor 2.3 Broadcom Etrust EZ Armor 2.4 Broadcom Etrust Intrusion Detection 1.4.1.13 Broadcom Etrust Intrusion Detection 1.4.5 Broadcom Etrust Intrusion Detection 1.5 Broadcom Etrust Secure Content Manager 1.0 Broadcom Etrust Secure Content Manager 1.1 Broadcom Inoculateit 6.0	17
Application	Ca CA Etrust Antivirus 7.0_Sp2 CA Etrust Secure Content Manager 1.0	2
Application	Eset_Software Eset Software Nod32 Antivirus 1.0.11 Eset Software Nod32 Antivirus 1.0.12 Eset Software Nod32 Antivirus 1.0.13	3
Application	Kaspersky_Lab Kaspersky LAB Kaspersky Anti Virus 3.0 Kaspersky LAB Kaspersky Anti Virus 4.0 Kaspersky LAB Kaspersky Anti Virus 5.0	3
Application	Mcafee Mcafee Antivirus Engine 4.3.20	1
Application	Rav_Antivirus RAV Antivirus RAV Antivirus Desktop 8.6 RAV Antivirus RAV Antivirus FOR File Servers 1.0 RAV Antivirus RAV Antivirus FOR Mail Servers 8.4.2	3
Application	Sophos Sophos Sophos Anti Virus 3.4.6 Sophos Sophos Anti Virus 3.78 Sophos Sophos Anti Virus 3.78D Sophos Sophos Anti Virus 3.79 Sophos Sophos Anti Virus 3.80 Sophos Sophos Anti Virus 3.81 Sophos Sophos Anti Virus 3.82 Sophos Sophos Anti Virus 3.83 Sophos Sophos Anti Virus 3.84 Sophos Sophos Anti Virus 3.85 Sophos Sophos Anti Virus 3.86 Sophos Sophos Puremessage Anti Virus 4.6 Sophos Sophos Small Business Suite 1.0	13
OS	Gentoo Gentoo Linux * Gentoo Linux 1.4	2
OS	Mandrakesoft Mandrakesoft Mandrake Linux 10.1	2
OS	Suse Suse Suse Linux 9.2	1

Exploit-Db

description	Multiple AntiVirus (zip file) Detection Bypass Exploit. CVE-2004-0932,CVE-2004-0933,CVE-2004-0934,CVE-2004-0935,CVE-2004-0936,CVE-2004-0937,CVE-2004-1096,CVE...
id	EDB-ID:629
last seen	2016-01-31
modified	2004-11-14
published	2004-11-14
reporter	oc192
source	https://www.exploit-db.com/download/629/
title	Multiple AntiVirus zip file Detection Bypass Exploit

Nessus

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2004-118.NASL
description	Recently, it was noticed that several antivirus programs miss viruses that are contained in ZIP archives with manipulated directory data. The global archive directory of these ZIP file have been manipulated to indicate zero file sizes. Archive::Zip produces files of zero length when decompressing this type of ZIP file. This causes AV products that use Archive::ZIP to fail to detect viruses in manipulated ZIP archives. One of these products is amavisd-new. The updated packages are patched to fix this problem.
last seen	2020-06-01
modified	2020-06-02
plugin id	15598
published	2004-11-02
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15598
title	Mandrake Linux Security Advisory : perl-Archive-Zip (MDKSA-2004:118)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2004:118. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(15598); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-0932", "CVE-2004-0933", "CVE-2004-0934", "CVE-2004-0935", "CVE-2004-0936", "CVE-2004-0937", "CVE-2004-1096", "CVE-2004-2442"); script_xref(name:"MDKSA", value:"2004:118"); script_name(english:"Mandrake Linux Security Advisory : perl-Archive-Zip (MDKSA-2004:118)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Recently, it was noticed that several antivirus programs miss viruses that are contained in ZIP archives with manipulated directory data. The global archive directory of these ZIP file have been manipulated to indicate zero file sizes. Archive::Zip produces files of zero length when decompressing this type of ZIP file. This causes AV products that use Archive::ZIP to fail to detect viruses in manipulated ZIP archives. One of these products is amavisd-new. The updated packages are patched to fix this problem." ); script_set_attribute( attribute:"see_also", value:"http://rt.cpan.org/NoAuth/Bug.html?id=8077" ); script_set_attribute( attribute:"solution", value:"Update the affected perl-Archive-Zip package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:perl-Archive-Zip"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/11/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64\|i[3-6]86\|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.1", reference:"perl-Archive-Zip-1.14-1.0.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"perl-Archive-Zip-1.14-1.0.101mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:9097
last seen	2017-11-19
modified	2008-07-16
published	2008-07-16
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-9097
title	Multiple AntiVirus (zip file) Detection Bypass Exploit

References

CVE is a registered MITRE Corporation trademark and MITRE's CVE website is the authoritative source of CVE content. CWE is a registered MITRE Corporation trademark and MITRE's CWE website is the authoritative source of CWE content.