CVE-2005-3220 in Virus Control Antivirusinfo

Summary

by MITRE

Multiple interpretation error in unspecified versions of Norman Virus Control Antivirus allows remote attackers to bypass virus detection via a malicious executable in a specially crafted RAR file with malformed central and local headers, which can still be opened by products such as Winrar and PowerZip, even though they are rejected as corrupted by Winzip and BitZipper.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/27/2017

The vulnerability described in CVE-2005-3220 represents a critical flaw in antivirus software validation mechanisms that specifically affects Norman Virus Control Antivirus products. This issue stems from a fundamental misinterpretation of file format structures within compressed archives, particularly RAR files, where the antivirus engine fails to properly validate the integrity of archive headers. The vulnerability exists in the way the software processes and interprets the central directory and local file headers found in RAR archives, creating a scenario where malicious code can be concealed within seemingly legitimate archive structures.

The technical exploitation of this vulnerability relies on the creation of specially crafted RAR files that contain malformed central and local headers. These headers are structured in a way that bypasses the standard validation checks implemented by the antivirus software while still maintaining compatibility with legitimate archive extraction tools. The flaw allows attackers to embed malicious executables within RAR archives that appear valid to popular archive utilities like Winrar and PowerZip, yet these same archives are rejected by other tools such as Winzip and BitZipper due to their corrupted header structures. This creates a dangerous inconsistency where the same file can be considered valid by some tools while being flagged as corrupted by others, providing a window of opportunity for attackers to evade detection.

The operational impact of this vulnerability is significant as it enables remote attackers to bypass antivirus protection mechanisms without requiring any special privileges or direct system access. The flaw essentially creates a false positive scenario where malicious code is allowed to pass through security checks because the antivirus software misinterprets the archive structure as valid. This type of vulnerability falls under the CWE-119 category of "Improper Restriction of Operations within the Bounds of a Memory Buffer" and can be mapped to ATT&CK technique T1059.007 for "Command and Scripting Interpreter: Python" and T1070.004 for "Indicator Removal on Host: File Deletion" when considering the potential for malicious payloads to execute undetected. The vulnerability demonstrates a critical weakness in the antivirus software's file format parsing logic and can be exploited to deliver malware payloads that would otherwise be detected by standard signature-based scanning methods.

This vulnerability highlights the importance of robust input validation and proper file format interpretation in security software, as it demonstrates how inconsistencies between different tools' validation methods can create exploitable gaps. Organizations using affected versions of Norman Virus Control Antivirus face a significant risk of malware delivery through seemingly benign RAR archives, as the software's failure to properly validate archive structures allows malicious code to bypass traditional detection mechanisms. The issue also underscores the need for comprehensive testing of security software against various file format scenarios and the importance of maintaining up-to-date virus definitions and software patches to address such vulnerabilities that can persist across multiple versions of security products.

Reservation

10/14/2005

Disclosure

10/14/2005

Moderation

accepted

Entry

VDB-26574

CPE

ready

EPSS

0.02991

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!