CVE-2005-3232

An attacker crafts a RAR archive with deliberately malformed central and local headers. TheHacker's virus scanner interprets the archive as clean (or fails to find the embedded payload) because its parser rejects or misreads the malformed headers. However, archivers such as Winrar and PowerZip still open and extract the file, delivering the malicious executable to the victim. The attack requires no special privileges — the victim only needs to open the crafted archive with a compatible extractor [ref_id=1].

The advisory [ref_id=1] does not specify particular functions or file paths within TheHacker. The vulnerability lies in TheHacker's RAR archive parser, specifically in how it handles malformed central and local headers. No patch or source code is provided in the bundle.

No patch is provided in the bundle. The advisory [ref_id=1] does not describe a fix for TheHacker. The recommended remediation is for antivirus vendors to align their RAR parsing logic with the actual behavior of common extraction tools (Winrar, PowerZip) so that archives those tools can open are also scanned correctly. Without a parser that matches the extractor's tolerance for malformed headers, the bypass remains possible.

1. Obtain the EICAR test file (eicar.com) as a benign virus test payload. 2. Create a RAR archive with malformed central and local headers such that Winrar and PowerZip still extract it but TheHacker's scanner does not detect the embedded content. 3. Submit the crafted archive to a multi-engine scanner (e.g. Jotti, VirusTotal) and observe that TheHacker reports "Found nothing" while the EICAR file is present after extraction [ref_id=1].