Hello everybody.
We found vulnerability in WinRAR 3.10 or lower version,
and reported details to Author of this Software at 2003/01/12.
Fixed version 3.11 of WinRAR was released,
so we release the Information about this vulnerability.
___________________________________________________
----------------------------------------------------------
Synopsis: WinRAR buffer overflow vulnerability
in file extensions
Product: WinRAR
Version: 3.10 or lower version
Vender: RARLab (http://www.rarlab.com/)
Eugene Roshal <roshalat_private>
Risk: Execute arbitrary binary code
Remote: No
Local: Yes
Discovered: nesuminat_private
Reported: 2003-01-12
Published: 2003-01-21
----------------------------------------------------------
Product Information :
WinRAR is archive manager on Windows. (GUI)
pack : RAR, ZIP
unpack : RAR, ZIP, ACE, CAB, LZH, GZip, etc..
OverView :
When WinRAR opens an archive which includes the "long file
extension" in inside, buffer overflow occurs on the stack.
This is a general exploitable Buffer Overflow.
If WinRAR user open malicious archive file, it has
the dangerous possibility, such as system
destruction, virus infection, etc...
this vulnerability exists only in "winrar.exe",
it is not command line tool.
Tested :
WinRAR
WinRAR 3.11 English Edition
WinRAR 3.10 English Edition
WinRAR 3.00 English Edition
WinRAR 2.90 English Edition
and these version of Japanese Edition.
Platform
Windows98SE JP
Windows2000 JP
WindowsXP JP
tested Zip archive files and RAR archive files that have
a 0 size file.
Vulnerable in tested :
WinRAR 3.10
WinRAR 3.00
WinRAR 2.90
Unvulnerable in tested :
WinRAR 3.11
Vendor status :
Eugene Roshal <roshalat_private> released at 17 January 2003
new version 3.11 of WinRAR which fixed this problem.
Very fast reply and fixed.
See also the official announcement in RARLab site.
(http://www.rarlab.com/)
Should be version-up 3.11 or higher version soon
if you using the vulnerable version.
Details :
When WinRAR opens an archive file, it displays the file list
of archives on a ListView Control Window.
If "long file extension" over 256 bytes exists in this file
list , buffer overflow occurs. (may be not only inside of
archives but also in general files)
Then, RET address is in offset 260 from ".".
(offset value includes the first ".")
And ESP register pointed the address of offset 264 from ".",
- next area of the RET address.
If RET address was overwritten at the address of
the "jmp ESP" and the next area was overwritten at
a arbitrary binary code, the binary code can be executed.
Note.
file extension is data that is start from 0x2e and exclude
0x2e, 0x2f, 0x5c, 0x00.
Case of offset 260, may be not enough size of using for
binary code at 3.00en and 2.90.
But offset which can control EIP exists yet, without 260.
However, those offset values are different per a version
and language edition.
3.00en and 2.90en and 2.90ja are 552, 3.00ja is 557,
3.10en is 692, 3.10ja is 697.
RET address of this case may be Exception Handler's :)
Sample code :
We don't release the sample exploit source code
in response to the request of the WinRAR author.
Contact and Etc... :
nesumin <nesuminat_private> discovered and tested.
Cooperator: (thanks)
melorin, imagine.
----------------------------------------------------------
nesumin <nesuminat_private>
This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 13:45:31 PST