cbcvebase.
CVE-2012-6706
published 2017-06-22

CVE-2012-6706: A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products…

PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.03%
95.0th percentile
A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products, that can lead to arbitrary code execution. An integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the "DestPos" variable, which allows the attacker to write out of bounds when setting Mem[DestPos].

Affected

4 ranges
VendorProductVersion rangeFixed in
debianlibclamunrar< libclamunrar 0.99-4 (bookworm)libclamunrar 0.99-4 (bookworm)
debianunrar-nonfree< libclamunrar 0.99-4 (bookworm)libclamunrar 0.99-4 (bookworm)
rarlabunrar<= 5.5.4
sophosthreat_detection_engine<= 3.36.2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44402.zip
  • Trigger condition: a crafted RAR file with VMSF_DELTA filter where DataSize+CurChannel integer overflow produces a negative DestPos, enabling an out-of-bounds write to Mem[DestPos].
  • For the VMSF_RGB variant in mpengine.dll: a crafted RAR file setting PosR=-2 and DataSize=1 bypasses the (PosR + 2 < DataSize) guard, causing a one-byte out-of-bounds write before the allocated buffer. Scan for RAR archives with VM filter type VMSF_RGB or VMSF_DELTA carrying anomalous/negative register values (R[1] negative, R[4]=1).
  • The vulnerable code path is inside RarVM::ExecuteStandardFilter in mpengine.dll (Windows Defender) and unrar's rarvm.cpp. Monitor mpengine.dll processing RAR archives for memory corruption crashes or anomalous process termination.
  • The mpengine.dll code is derived from unrar ≤ 4.2.4 and still processes the VMSF_UPCASE filter (removed in unrar 5.0). Presence of VMSF_UPCASE filter blocks in a RAR file submitted to Windows Defender is an indicator of a potentially crafted/malicious archive targeting this old code path.
  • ·The vulnerability affects unrar before 5.5.5 and Sophos Anti-Virus Threat Detection Engine before 3.37.2. The Windows Defender variant is a separate but related issue in mpengine.dll derived from unrar ≤ 4.2.4. Debian packages fixed in unrar-nonfree 0.99-4 (bookworm, bullseye, sid, trixie).
  • ·The blanket signed-to-unsigned variable conversion applied in mpengine.dll (intended to fix the original CVE-2012-6706 signedness issues) inadvertently removed the PosR<0 guard, introducing the VMSF_RGB out-of-bounds write. The two bugs share the same root CVE but have distinct exploitation mechanics.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.