CVE-2012-6706
published 2017-06-22CVE-2012-6706: A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products…
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.03%
95.0th percentile
A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products, that can lead to arbitrary code execution. An integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the "DestPos" variable, which allows the attacker to write out of bounds when setting Mem[DestPos].
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libclamunrar | < libclamunrar 0.99-4 (bookworm) | libclamunrar 0.99-4 (bookworm) |
| debian | unrar-nonfree | < libclamunrar 0.99-4 (bookworm) | libclamunrar 0.99-4 (bookworm) |
| rarlab | unrar | <= 5.5.4 | — |
| sophos | threat_detection_engine | <= 3.36.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: a crafted RAR file with VMSF_DELTA filter where DataSize+CurChannel integer overflow produces a negative DestPos, enabling an out-of-bounds write to Mem[DestPos]. ↗
- →For the VMSF_RGB variant in mpengine.dll: a crafted RAR file setting PosR=-2 and DataSize=1 bypasses the (PosR + 2 < DataSize) guard, causing a one-byte out-of-bounds write before the allocated buffer. Scan for RAR archives with VM filter type VMSF_RGB or VMSF_DELTA carrying anomalous/negative register values (R[1] negative, R[4]=1). ↗
- →The vulnerable code path is inside RarVM::ExecuteStandardFilter in mpengine.dll (Windows Defender) and unrar's rarvm.cpp. Monitor mpengine.dll processing RAR archives for memory corruption crashes or anomalous process termination. ↗
- →The mpengine.dll code is derived from unrar ≤ 4.2.4 and still processes the VMSF_UPCASE filter (removed in unrar 5.0). Presence of VMSF_UPCASE filter blocks in a RAR file submitted to Windows Defender is an indicator of a potentially crafted/malicious archive targeting this old code path. ↗
- ·The vulnerability affects unrar before 5.5.5 and Sophos Anti-Virus Threat Detection Engine before 3.37.2. The Windows Defender variant is a separate but related issue in mpengine.dll derived from unrar ≤ 4.2.4. Debian packages fixed in unrar-nonfree 0.99-4 (bookworm, bullseye, sid, trixie). ↗
- ·The blanket signed-to-unsigned variable conversion applied in mpengine.dll (intended to fix the original CVE-2012-6706 signedness issues) inadvertently removed the PosR<0 guard, introducing the VMSF_RGB out-of-bounds write. The two bugs share the same root CVE but have distinct exploitation mechanics. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2012-6706: libclamunrar - A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in ...
vendor_debian·2012·CVSS 9.8
CVE-2012-6706 [CRITICAL] CVE-2012-6706: libclamunrar - A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in ...
A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products, that can lead to arbitrary code execution. An integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the "DestPos" variable, which allows the attacker to write out of bounds when setting Mem[DestPos].
Scope: local
bookworm: resolved (fixed in 0.99-4)
bullseye: resolved (fixed in 0.99-4)
sid: resolved (fixed in 0.99-4)
trixie: resolved (fixed in 0.99-4)
GHSA
GHSA-x9pf-gc5f-vghh: A VMSF_DELTA memory corruption was discovered in unrar before 5
ghsa_unreviewed·2022-05-14
CVE-2012-6706 [CRITICAL] CWE-190 GHSA-x9pf-gc5f-vghh: A VMSF_DELTA memory corruption was discovered in unrar before 5
A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products, that can lead to arbitrary code execution. An integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the "DestPos" variable, which allows the attacker to write out of bounds when setting Mem[DestPos].
OSV
CVE-2012-6706: A VMSF_DELTA memory corruption was discovered in unrar before 5
osv·2017-06-22·CVSS 9.8
CVE-2012-6706 [CRITICAL] CVE-2012-6706: A VMSF_DELTA memory corruption was discovered in unrar before 5
A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products, that can lead to arbitrary code execution. An integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the "DestPos" variable, which allows the attacker to write out of bounds when setting Mem[DestPos].
No detection rules found.
No writeups or analysis indexed.
http://securitytracker.com/id?1027725http://telussecuritylabs.com/threats/show/TSL20121207-01https://bugs.chromium.org/p/project-zero/issues/detail?id=1286https://community.sophos.com/kb/en-us/118424#sixhttps://kc.mcafee.com/corporate/index?page=content&id=SB10205https://lock.cmpxchg8b.com/sophailv2.pdfhttps://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/https://security.gentoo.org/glsa/201708-05https://security.gentoo.org/glsa/201709-24https://security.gentoo.org/glsa/201804-16http://securitytracker.com/id?1027725http://telussecuritylabs.com/threats/show/TSL20121207-01https://bugs.chromium.org/p/project-zero/issues/detail?id=1286https://community.sophos.com/kb/en-us/118424#sixhttps://kc.mcafee.com/corporate/index?page=content&id=SB10205https://lock.cmpxchg8b.com/sophailv2.pdfhttps://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/https://security.gentoo.org/glsa/201708-05https://security.gentoo.org/glsa/201709-24https://security.gentoo.org/glsa/201804-16
2017-06-22
Published