CVE-2012-6706 : A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engin

A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products, that can lead to arbitrary code execution. An integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the "DestPos" variable, which allows the attacker to write out of bounds when setting Mem[DestPos].

Published 2017-06-22 13:29:00

Updated 2018-10-21 10:29:00

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowMemory Corruption

Exploit prediction scoring system (EPSS) score for CVE-2012-6706

Probability of exploitation activity in the next 30 days: 2.42%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 88 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2012-6706

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2012-6706

CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-6706

https://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/

Sophos products and Tavis Ormandy – Naked Security
Vendor Advisory
https://lock.cmpxchg8b.com/sophailv2.pdf

Third Party Advisory
https://security.gentoo.org/glsa/201708-05

RAR and UnRAR: User-assisted execution of arbitrary code (GLSA 201708-05) — Gentoo security
http://telussecuritylabs.com/threats/show/TSL20121207-01

TELUS Security Labs | Software Research & Analysis
Third Party Advisory
https://security.gentoo.org/glsa/201709-24

RAR, UnRAR: Multiple vulnerabilities (GLSA 201709-24) — Gentoo security

CVEs referencing this url
https://bugs.chromium.org/p/project-zero/issues/detail?id=1286

1286 - VMSF_DELTA filter in unrar allows arbitrary memory write - project-zero - Monorail
Exploit;Third Party Advisory
http://securitytracker.com/id?1027725

Sophos Anti-Virus Bugs Let Remote Users Execute Arbitrary Code with Root Privileges and Conduct Cross-Site Scripting Attacks and Let Local Users Gain Elevated Privileges - SecurityTracker
Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10205

McAfee Security Bulletin - Web Gateway update fixes vulnerabilities CVE-2012-6706, CVE-2017-1000364, CVE-2017-1000366, and CVE-2017-1000368

CVEs referencing this url
https://security.gentoo.org/glsa/201804-16

ClamAV: Multiple vulnerabilities (GLSA 201804-16) — Gentoo security

CVEs referencing this url
https://community.sophos.com/kb/en-us/118424#six

Sophos Community
Vendor Advisory

Products affected by CVE-2012-6706

Rarlab » Unrar
Versions up to, including, (<=) 5.5.4
cpe:2.3:a:rarlab:unrar:*:*:*:*:*:*:*:*
Matching versions
Sophos » Threat Detection Engine
Versions up to, including, (<=) 3.36.2
cpe:2.3:a:sophos:threat_detection_engine:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2012-6706

Exploit prediction scoring system (EPSS) score for CVE-2012-6706

CVSS scores for CVE-2012-6706

CWE ids for CVE-2012-6706

References for CVE-2012-6706

Products affected by CVE-2012-6706