Check Point Advisories

7-Zip ARJ Archive Handling Buffer Overflow (CVE-2005-3051)

Vulnerability
Protection

Check Point Reference:	CPAI-2005-307
Date Published:	12 Oct 2009
Severity:	Medium
Last Updated:	Monday 12 October, 2009
Source:
Industry Reference:	CVE-2005-3051
Protection Provided by:	Security Gateway R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description	The 7-Zip file archiver has the ability to compress and decompress files in numerous archive formats. One such supported archive format is the ARJ format. There exists a stack-based buffer overflow vulnerability in the 7-Zip file archiver. The affected program does not sufficiently verify the size of local file header blocks in ARJ archives. A crafted ARJ archive may be used to exploit this flaw resulting in arbitrary code execution on the affected host. In a case of an unsuccessful code injection attack, the affected application used to decompress the malicious archive will terminate unexpectedly. In a case of a successful code injection exploit, the behaviour of the target system is dependent on the intention of the injected code. In such a case, the malicious code will execute with the privileges of the current user.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

In the IPS tab, click Protections and find the 7-Zip ARJ Archive Handling Buffer Overflow protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: Content Protection Violation.
Attack Information: 7-Zip ARJ archive handling buffer overflow