Re: WinRAR buffer overflow vulnerability < (probleme)

From: Vergoz Michael (SYSDOOR) (mvergozat_private)
Date: Sat Jan 25 2003 - 02:35:33 PST

Next message: Byron Morton: "Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"

Previous message: H D Moore: "Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
In reply to: nesumin: "WinRAR buffer overflow vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hiya all,

>   When WinRAR opens an archive which includes the "long file
>   extension" in inside, buffer overflow occurs on the stack.
>   This is a general exploitable Buffer Overflow.

There is no buffer overflow in the file header or perhaps you/i have missed
something in your paper.
I was working on this vuln since 1 week with a friend...

When we modified the header winrar said : "Invalid format" and that all.

Well the question is perhaps i'v to make a valid header that can do the
exeption. @#!:

WinRAR is like word file, it used 2 things :
    - Lenght of file
    - A file print (we don't know how does it work.)

Can you give more informations to us please ?

rgds
des.

Sent: Tuesday, January 21, 2003 3:42 PM
Subject: WinRAR buffer overflow vulnerability


> Hello everybody.
>
> We found vulnerability in WinRAR 3.10 or lower version,
> and reported details to Author of this Software at 2003/01/12.
>
> Fixed version 3.11 of WinRAR was released,
> so we release the Information about this vulnerability.
>
>    ___________________________________________________
>
> ----------------------------------------------------------
>    Synopsis: WinRAR buffer overflow vulnerability
>              in file extensions
>     Product: WinRAR
>     Version: 3.10 or lower version
>      Vender: RARLab (http://www.rarlab.com/)
>              Eugene Roshal <roshalat_private>
>        Risk: Execute arbitrary binary code
>      Remote: No
>       Local: Yes
>  Discovered: nesuminat_private
>    Reported: 2003-01-12
>   Published: 2003-01-21
> ----------------------------------------------------------
>
> Product Information :
>
>   WinRAR is archive manager on Windows. (GUI)
>   pack   : RAR, ZIP
>   unpack : RAR, ZIP, ACE, CAB, LZH, GZip, etc..
>
>
> OverView :
>
>   When WinRAR opens an archive which includes the "long file
>   extension" in inside, buffer overflow occurs on the stack.
>   This is a general exploitable Buffer Overflow.
>
>   If WinRAR user open malicious archive file, it has
>   the dangerous possibility, such as system
>   destruction, virus infection, etc...
>
>   this vulnerability exists only in "winrar.exe",
>   it is not command line tool.
>
> Tested :
>
>   WinRAR
>     WinRAR 3.11 English Edition
>     WinRAR 3.10 English Edition
>     WinRAR 3.00 English Edition
>     WinRAR 2.90 English Edition
>     and these version of Japanese Edition.
>
>   Platform
>     Windows98SE JP
>     Windows2000 JP
>     WindowsXP   JP
>
>   tested Zip archive files and RAR archive files that have
>   a 0 size file.
>
>
> Vulnerable in tested :
>
>   WinRAR 3.10
>   WinRAR 3.00
>   WinRAR 2.90
>
>
> Unvulnerable in tested :
>
>   WinRAR 3.11
>
>
> Vendor status :
>
>   Eugene Roshal <roshalat_private> released at 17 January 2003
>   new version 3.11 of WinRAR which fixed this problem.
>   Very fast reply and fixed.
>
>   See also the official announcement in RARLab site.
>   (http://www.rarlab.com/)
>
>   Should be version-up 3.11 or higher version soon
>   if you using the vulnerable version.
>
>
> Details :
>
>   When WinRAR opens an archive file, it displays the file list
>   of archives on a ListView Control Window.
>
>   If "long file extension" over 256 bytes exists in this file
>   list , buffer overflow occurs. (may be not only inside of
>   archives but also in general files)
>
>   Then, RET address is in offset 260 from ".".
>   (offset value includes the first ".")
>
>   And ESP register pointed the address of offset 264 from ".",
>   - next area of the RET address.
>
>   If RET address was overwritten at the address of
>   the "jmp ESP" and the next area was overwritten at
>   a arbitrary binary code, the binary code can be executed.
>
>   Note.
>   file extension is data that is start from 0x2e and exclude
>   0x2e, 0x2f, 0x5c, 0x00.
>
>   Case of offset 260, may be not enough size of using for
>   binary code at 3.00en and 2.90.
>
>   But offset which can control EIP exists yet, without 260.
>   However, those offset values are different per a version
>   and language edition.
>
>   3.00en and 2.90en and 2.90ja are 552, 3.00ja is 557,
>   3.10en is 692, 3.10ja is 697.
>
>   RET address of this case may be Exception Handler's :)
>
>
> Sample code :
>
>   We don't release the sample exploit source code
>   in response to the request of the WinRAR author.
>
>
> Contact and Etc... :
>
>   nesumin <nesuminat_private>  discovered and tested.
>
>   Cooperator: (thanks)
>     melorin, imagine.
>
>
>
> ----------------------------------------------------------
>
> nesumin <nesuminat_private>
>
>
>

Next message: Byron Morton: "Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
Previous message: H D Moore: "Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
In reply to: nesumin: "WinRAR buffer overflow vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 06:23:47 PST