Quicklinks: Home Contact


G-SEC™ regularly publishes advisories about vulnerabilities that we discovered during our research. G-SEC™ tries to follow responsible disclosure guidelines whenever possible.

More information »


F-Secure - Generic PDF detection bypass

Release mode: Coordinated
Reference : [GSEC-46-2009] - Computer associates multiple products
Vendor : http://www.ca.com
Status : Patched
CVE : CVE-2009-3587 & CVE-2009-3588
Credit : https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=218878
Discovered by : Thierry Zoller (G-SEC)
Vendor reaction rating : near perfect*
* Continous feedback on progress - CVE numbers - In depth investigation of the issues at hand.

Affected products :

Affected Plattforms

I. Background

"CA is one of the world's largest IT management software providers. We serve more than 99% of Fortune 1000 companies, as well as government entities, educational institutions and thousands of other companies in diverse industries worldwide"

"CA Anti-Virus for the Enterprise is the next generation in comprehensive anti-virus security for business PCs, servers and PDAs. It combines proactive protection against malware with new, powerful management features that stop and remove malicious code before it enters your
network, reducing system downtime"

II. Description

Improper handling of a specially crafted RAR archive file by the CA Anti-Virus engine arclib component leads to heap corruption and allows the attacker to cause a denial of service or possibly further compromise the system.

Attacker has control over EBX :

Basic Block:
6e4305b0 mov cl,byte ptr [ebx]
Tainted Input Operands: ebx
6e4305b2 add edi,28h
6e4305b5 push edi
6e4305b6 lea edx,[esp+14h]
6e4305ba mov byte ptr [esp+14h],cl
Tainted Input Operands: cl
6e4305be inc ebx
Tainted Input Operands: ebx
6e4305bf push edx
6e4305c0 mov ecx,esi
6e4305c2 mov dword ptr [esp+1ch],ebx
Tainted Input Operands: ebx
6e4305c6 call arclib!arctkopenarchive+0x283a0 (6e42f9f0)

III. Impact

The impact ranges from Denial of Service to potential remote arbritary code execution.
Due to the nature of Anti-virus products, the attack vectors can be near endless. An attack
could be done over the way of an E-mail message carrying an RAR attachement (of a file
recognised as being RAR), USB, CD, Network data.

Please note that this is a general problem and not exclusive to Computer Associates.

V. Disclosure timeline

Note: All trademarks mentioned herein belong to their respective owners.