Vulnerabilities > CVE-2012-6706 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products, that can lead to arbitrary code execution. An integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the "DestPos" variable, which allows the attacker to write out of bounds when setting Mem[DestPos].
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Exploit-Db
| description | Microsoft Windows Defender - 'mpengine.dll' Memory Corruption. CVE-2018-0986. Dos exploit for Windows platform |
| file | exploits/windows/dos/44402.txt |
| id | EDB-ID:44402 |
| last seen | 2018-05-24 |
| modified | 2018-04-05 |
| platform | windows |
| port | |
| published | 2018-04-05 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/44402/ |
| title | Microsoft Windows Defender - 'mpengine.dll' Memory Corruption |
| type | dos |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201804-16.NASL description The remote host is affected by the vulnerability described in GLSA-201804-16 (ClamAV: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in ClamAV. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, through multiple vectors, could execute arbitrary code, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 109230 published 2018-04-23 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/109230 title GLSA-201804-16 : ClamAV: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201804-16. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(109230); script_version("1.2"); script_cvs_date("Date: 2018/06/07 13:15:38"); script_cve_id("CVE-2012-6706", "CVE-2017-11423", "CVE-2017-6418", "CVE-2017-6419", "CVE-2017-6420", "CVE-2018-0202", "CVE-2018-1000085"); script_xref(name:"GLSA", value:"201804-16"); script_name(english:"GLSA-201804-16 : ClamAV: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201804-16 (ClamAV: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in ClamAV. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, through multiple vectors, could execute arbitrary code, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201804-16" ); script_set_attribute( attribute:"solution", value: "All ClamAV users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-antivirus/clamav-0.99.4'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:clamav"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-antivirus/clamav", unaffected:make_list("ge 0.99.4"), vulnerable:make_list("lt 0.99.4"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ClamAV"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0863-1.NASL description This update for clamav fixes the following issues: Security issues fixed : - CVE-2012-6706: VMSF_DELTA filter inside the unrar implementation allows an arbitrary memory write (bsc#1045315). - CVE-2017-6419: A heap-based buffer overflow that can lead to a denial of service in libmspack via a crafted CHM file (bsc#1052449). - CVE-2017-11423: A stack-based buffer over-read that can lead to a denial of service in mspack via a crafted CAB file (bsc#1049423). - CVE-2018-1000085: An out-of-bounds heap read vulnerability was found in XAR parser that can lead to a denial of service (bsc#1082858). - CVE-2018-0202: Fixed two vulnerabilities in the PDF parsing code (bsc#1083915). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 108829 published 2018-04-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108829 title SUSE SLES11 Security Update : clamav (SUSE-SU-2018:0863-1) NASL family Fedora Local Security Checks NASL id FEDORA_2018-D2B08AA37F.NASL description Update to 0.99.4 0.99.4 addresses a few outstanding vulnerability bugs. It includes fixes for : - CVE-2012-6706 - CVE-2017-6419 - CVE-2017-11423 - CVE-2018-1000085 There are also a few bug fixes that were not assigned CVE’s, but were important enough to address while we had the chance. One of these was the notorious file descriptor exhaustion bug that caused outages late last January. In addition to the above, 0.99.4 fixes : - CVE-2018-0202: Two newly reported vulnerabilities in the PDF parsing code. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-03-14 plugin id 108311 published 2018-03-14 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108311 title Fedora 26 : clamav (2018-d2b08aa37f) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-779.NASL description This update for clamav fixes the following security issue : - CVE-2012-6706: Fixed an arbitrary memory write in VMSF_DELTA filter in libclamunrar (bsc#1045490) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2017-07-07 plugin id 101277 published 2017-07-07 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/101277 title openSUSE Security Update : clamav (openSUSE-2017-779) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1763-1.NASL description This update for clamav fixes the following issues: Security issue fixed : - CVE-2012-6706: Fixed an arbitrary memory write in VMSF_DELTA filter in libclamunrar (bsc#1045490) Non security issue fixed : - Fix permissions of /var/spool/amavis. (bsc#815106) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101222 published 2017-07-05 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101222 title SUSE SLES11 Security Update : clamav (SUSE-SU-2017:1763-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201708-05.NASL description The remote host is affected by the vulnerability described in GLSA-201708-05 (RAR and UnRAR: User-assisted execution of arbitrary code) A VMSF_DELTA memory corruption was discovered in which an integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the “DestPos” variable which allows writing out of bounds when setting Mem[DestPos]. Impact : A remote attacker, by enticing a user to open a specially crafted archive, could execute arbitrary code with the privileges of the process. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 102617 published 2017-08-21 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/102617 title GLSA-201708-05 : RAR and UnRAR: User-assisted execution of arbitrary code NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1745-1.NASL description This update for unrar fixes the following issues : - CVE-2012-6706: decoding malicious RAR files could have lead to memory corruption or code execution. (bsc#1045315). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101204 published 2017-07-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101204 title SUSE SLED12 / SLES12 Security Update : unrar (SUSE-SU-2017:1745-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1003.NASL description It was reported that unrar fixed a VMSF_DELTA memory corruption issue in their latest version unrarsrc-5.5.5.tar.gz. This problem was reported to Sophos AV in 2012 but never reach upstream rar. For Debian 7 last seen 2020-03-17 modified 2017-06-28 plugin id 101065 published 2017-06-28 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/101065 title Debian DLA-1003-1 : unrar-nonfree security update NASL family Misc. NASL id MCAFEE_WEB_GATEWAY_SB10205.NASL description The remote host is running a version of McAfee Web Gateway (MWG) that is affected by multiple security vulnerabilities : - A memory corruption flaw exists in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products that allows remote attackers to execute arbitrary code. (CVE-2012-6706) - A memory corruption flaw exists in Linux Kernel versions 4.11.5 and earlier that allows remote attacks to execute arbitrary code with elevated privileges.(CVE-2017-1000364) - A memory corruption flaw exists in the handling of LD_LIBRARY_PATH that allows a remote attacker to manipulate the heap/stack that may lead to arbitrary code execution. This issue only affects GNU glibc 2.25 and prior. (CVE-2017-1000366) - An input validation flaw exists in Todd Miller last seen 2020-06-13 modified 2017-08-15 plugin id 102496 published 2017-08-15 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102496 title McAfee Web Gateway 7.6.x < 7.6.2.15 / 7.7.x < 7.7.2.3 Multiple Vulnerabilities (SB10205) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-724.NASL description This update for unrar to version 5.5 fixes the following issues : Version 5.5.5 - CVE-2012-6706: fixes VMSF_DELTA memory corruption (boo#1045315) see https://bugs.chromium.org/p/project-zero/issues/detail?i d=1286&can=1&q=unrar&desc=2 Version 5.5.1 - Based on RAR 5.50 beta1 - Added extraction support for .LZ archives created by Lzip compressor. - Modern TAR tools can store high precision file times, lengthy file names and large file sizes in special PAX extended headers inside of TAR archive. Now WinRAR supports such PAX headers and uses them when extracting TAR archives. - unrar no longer fails to unpack files in ZIP archives compressed with XZ algorithm and encrypted with AES Version 5.4.5. - Based on final RAR 5.40. - If RAR recovery volumes (.rev files) are present in the same folder as usual RAR volumes, archive test command verifies .rev contents after completing testing .rar files. If you wish to test only .rev files without checking .rar volumes, you can run: `unrar t arcname.part1.rev`. - If -p switch is used without optional <pwd> parameter, a password can be also set with file redirection or pipe. - unrar treats last seen 2020-06-05 modified 2017-09-13 plugin id 103163 published 2017-09-13 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103163 title openSUSE Security Update : unrar (openSUSE-2017-724) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0862-1.NASL description This update for unrar to version 5.6.1 fixes several issues. These security issues were fixed : - CVE-2017-12938: Prevent remote attackers to bypass a directory-traversal protection mechanism via vectors involving a symlink to the . directory, a symlink to the .. directory, and a regular file (bsc#1054038). - CVE-2017-12940: Prevent out-of-bounds read in the EncodeFileName::Decode call within the Archive::ReadHeader15 function (bsc#1054038). - CVE-2017-12941: Prevent an out-of-bounds read in the Unpack::Unpack20 function (bsc#1054038). - CVE-2017-12942: Prevent a buffer overflow in the Unpack::LongLZ function (bsc#1054038). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 108828 published 2018-04-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108828 title SUSE SLES11 Security Update : unrar (SUSE-SU-2018:0862-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1716-1.NASL description This update for clamav fixes the following issues: Security issue fixed : - CVE-2012-6706: Fixed an arbitrary memory write in VMSF_DELTA filter in libclamunrar (bsc#1045490) Non security issues fixed : - Provide and obsolete clamav-nodb to trigger its removal in openSUSE Leap. (bsc#1040662) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101143 published 2017-06-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101143 title SUSE SLED12 / SLES12 Security Update : clamav (SUSE-SU-2017:1716-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201710-21.NASL description The remote host is affected by the vulnerability described in GLSA-201710-21 (Kodi: Arbitrary code execution) Kodi is vulnerable due to shipping with an embedded version of UnRAR. Please review the referenced CVE identifier for details. Impact : A remote attacker, by enticing a user to process a specifically crafted RAR file, could execute arbitrary code. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 104064 published 2017-10-23 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/104064 title GLSA-201710-21 : Kodi: Arbitrary code execution NASL family Fedora Local Security Checks NASL id FEDORA_2018-602B5345FA.NASL description Update to 0.99.4 0.99.4 addresses a few outstanding vulnerability bugs. It includes fixes for : - CVE-2012-6706 - CVE-2017-6419 - CVE-2017-11423 - CVE-2018-1000085 There are also a few bug fixes that were not assigned CVE’s, but were important enough to address while we had the chance. One of these was the notorious file descriptor exhaustion bug that caused outages late last January. In addition to the above, 0.99.4 fixes : - CVE-2018-0202: Two newly reported vulnerabilities in the PDF parsing code. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-03-07 plugin id 107169 published 2018-03-07 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107169 title Fedora 27 : clamav (2018-602b5345fa) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-314.NASL description This update for clamav fixes the following issues : Security issues fixed : - CVE-2012-6706: VMSF_DELTA filter inside the unrar implementation allows an arbitrary memory write (bsc#1045315). - CVE-2017-6419: A heap-based buffer overflow that can lead to a denial of service in libmspack via a crafted CHM file (bsc#1052449). - CVE-2017-11423: A stack-based buffer over-read that can lead to a denial of service in mspack via a crafted CAB file (bsc#1049423). - CVE-2018-1000085: An out-of-bounds heap read vulnerability was found in XAR parser that can lead to a denial of service (bsc#1082858). - CVE-2018-0202: Fixed two vulnerabilities in the PDF parsing code (bsc#1083915). This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-03-27 plugin id 108637 published 2018-03-27 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/108637 title openSUSE Security Update : clamav (openSUSE-2018-314) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1760-1.NASL description This update for unrar fixes the following issues : - CVE-2012-6706: decoding malicious RAR files could have lead to memory corruption or code execution. (bsc#1045315). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101221 published 2017-07-05 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101221 title SUSE SLES11 Security Update : unrar (SUSE-SU-2017:1760-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201709-24.NASL description The remote host is affected by the vulnerability described in GLSA-201709-24 (RAR, UnRAR: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in RAR and UnRAR. Please review the referenced CVE identifiers for details. Impact : A remote attacker, by enticing a user to open a specially crafted RAR, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 103463 published 2017-09-26 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103463 title GLSA-201709-24 : RAR, UnRAR: Multiple vulnerabilities NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-976.NASL description Heap-based buffer overflow in mspack/lzxd.c mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file. (CVE-2017-6419) Out-of-bounds access in the PDF parser (CVE-2018-0202) A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products, that can lead to arbitrary code execution. An integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the last seen 2020-06-01 modified 2020-06-02 plugin id 108601 published 2018-03-27 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/108601 title Amazon Linux AMI : clamav (ALAS-2018-976) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0809-1.NASL description This update for clamav fixes the following issues: Security issues fixed : - CVE-2012-6706: VMSF_DELTA filter inside the unrar implementation allows an arbitrary memory write (bsc#1045315). - CVE-2017-6419: A heap-based buffer overflow that can lead to a denial of service in libmspack via a crafted CHM file (bsc#1052449). - CVE-2017-11423: A stack-based buffer over-read that can lead to a denial of service in mspack via a crafted CAB file (bsc#1049423). - CVE-2018-1000085: An out-of-bounds heap read vulnerability was found in XAR parser that can lead to a denial of service (bsc#1082858). - CVE-2018-0202: Fixed two vulnerabilities in the PDF parsing code (bsc#1083915). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 108652 published 2018-03-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108652 title SUSE SLED12 / SLES12 Security Update : clamav (SUSE-SU-2018:0809-1)
References
- http://securitytracker.com/id?1027725
- http://telussecuritylabs.com/threats/show/TSL20121207-01
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1286
- https://community.sophos.com/kb/en-us/118424#six
- https://kc.mcafee.com/corporate/index?page=content&id=SB10205
- https://lock.cmpxchg8b.com/sophailv2.pdf
- https://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/
- https://security.gentoo.org/glsa/201708-05
- https://security.gentoo.org/glsa/201709-24
- https://security.gentoo.org/glsa/201804-16