CVE-2005-3231
Description
Multiple interpretation error in unspecified versions of CAT Quick Heal allows remote attackers to bypass virus detection via a malicious executable in a specially crafted RAR file with malformed central and local headers, which can still be opened by products such as Winrar and PowerZip, even though they are rejected as corrupted by Winzip and BitZipper.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- cpe:2.3:a:cat:quick_heal:*:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
Root cause
"Multiple interpretation error: CAT Quick Heal and other antivirus engines parse the RAR central/local headers differently than archivers like WinRAR, so a malformed RAR file that appears corrupted to the scanner still extracts correctly, allowing a malicious executable to bypass virus detection."
Attack vector
An attacker crafts a RAR archive with deliberately malformed central and local headers. Antivirus software (including CAT Quick Heal) interprets the headers as corrupt and either skips scanning or fails to detect the embedded malicious payload. However, archivers such as WinRAR and PowerZip tolerate the malformation and extract the file normally [ref_id=1]. The attacker delivers the crafted archive to a victim; when the victim extracts it with a compatible archiver, the malicious executable is released onto the system. The bypassed malicious content does not pose a risk until extracted from the RAR archive file [ref_id=1].
Affected code
The advisory does not identify specific functions or file paths in CAT Quick Heal. The vulnerability lies in the RAR parsing logic of the antivirus engine, which interprets malformed central and local headers differently than archivers like WinRAR and PowerZip [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not specify a fix from CAT Quick Heal or any other affected vendor [ref_id=1]. The recommended remediation is for antivirus vendors to align their RAR parsing logic with that of common archivers so that malformed headers do not cause the scanner to skip the embedded content. Users should ensure their antivirus software is updated to a version that correctly handles specially crafted RAR archives.
Preconditions
- inputAttacker must craft a RAR file with malformed central and local headers that is rejected as corrupted by the antivirus but accepted by archivers like WinRAR.
- networkAttacker must deliver the crafted RAR file to the victim (e.g., via email, download, or other means).
- authNo authentication required; the attack relies on the victim opening the archive.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.