> When WinRAR opens an archive which includes the "long file
> extension" in inside, buffer overflow occurs on the stack.
> This is a general exploitable Buffer Overflow.
There is no buffer overflow in the file header or perhaps you/i have missed
something in your paper.
I was working on this vuln since 1 week with a friend...
When we modified the header winrar said : "Invalid format" and that all.
Well the question is perhaps i'v to make a valid header that can do the
exeption. @#!:
WinRAR is like word file, it used 2 things :
- Lenght of file
- A file print (we don't know how does it work.)
> Hello everybody.
>
> We found vulnerability in WinRAR 3.10 or lower version,
> and reported details to Author of this Software at 2003/01/12.
>
> Fixed version 3.11 of WinRAR was released,
> so we release the Information about this vulnerability.
>
> ___________________________________________________
>
> ----------------------------------------------------------
> Synopsis: WinRAR buffer overflow vulnerability
> in file extensions
> Product: WinRAR
> Version: 3.10 or lower version
> Vender: RARLab (http://www.rarlab.com/)
> Eugene Roshal <roshal (at) rarlab (dot) com [email concealed]>
> Risk: Execute arbitrary binary code
> Remote: No
> Local: Yes
> Discovered: nesumin (at) softhome (dot) net [email concealed]
> Reported: 2003-01-12
> Published: 2003-01-21
> ----------------------------------------------------------
>
> Product Information :
>
> WinRAR is archive manager on Windows. (GUI)
> pack : RAR, ZIP
> unpack : RAR, ZIP, ACE, CAB, LZH, GZip, etc..
>
>
> OverView :
>
> When WinRAR opens an archive which includes the "long file
> extension" in inside, buffer overflow occurs on the stack.
> This is a general exploitable Buffer Overflow.
>
> If WinRAR user open malicious archive file, it has
> the dangerous possibility, such as system
> destruction, virus infection, etc...
>
> this vulnerability exists only in "winrar.exe",
> it is not command line tool.
>
> Tested :
>
> WinRAR
> WinRAR 3.11 English Edition
> WinRAR 3.10 English Edition
> WinRAR 3.00 English Edition
> WinRAR 2.90 English Edition
> and these version of Japanese Edition.
>
> Platform
> Windows98SE JP
> Windows2000 JP
> WindowsXP JP
>
> tested Zip archive files and RAR archive files that have
> a 0 size file.
>
>
> Vulnerable in tested :
>
> WinRAR 3.10
> WinRAR 3.00
> WinRAR 2.90
>
>
> Unvulnerable in tested :
>
> WinRAR 3.11
>
>
> Vendor status :
>
> Eugene Roshal <roshal (at) rarlab (dot) com [email concealed]> released at 17 January 2003
> new version 3.11 of WinRAR which fixed this problem.
> Very fast reply and fixed.
>
> See also the official announcement in RARLab site.
> (http://www.rarlab.com/)
>
> Should be version-up 3.11 or higher version soon
> if you using the vulnerable version.
>
>
> Details :
>
> When WinRAR opens an archive file, it displays the file list
> of archives on a ListView Control Window.
>
> If "long file extension" over 256 bytes exists in this file
> list , buffer overflow occurs. (may be not only inside of
> archives but also in general files)
>
> Then, RET address is in offset 260 from ".".
> (offset value includes the first ".")
>
> And ESP register pointed the address of offset 264 from ".",
> - next area of the RET address.
>
> If RET address was overwritten at the address of
> the "jmp ESP" and the next area was overwritten at
> a arbitrary binary code, the binary code can be executed.
>
> Note.
> file extension is data that is start from 0x2e and exclude
> 0x2e, 0x2f, 0x5c, 0x00.
>
> Case of offset 260, may be not enough size of using for
> binary code at 3.00en and 2.90.
>
> But offset which can control EIP exists yet, without 260.
> However, those offset values are different per a version
> and language edition.
>
> 3.00en and 2.90en and 2.90ja are 552, 3.00ja is 557,
> 3.10en is 692, 3.10ja is 697.
>
> RET address of this case may be Exception Handler's :)
>
>
> Sample code :
>
> We don't release the sample exploit source code
> in response to the request of the WinRAR author.
>
>
> Contact and Etc... :
>
> nesumin <nesumin (at) softhome (dot) net [email concealed]> discovered and tested.
>
> Cooperator: (thanks)
> melorin, imagine.
>
>
>
> ----------------------------------------------------------
>
> nesumin <nesumin (at) softhome (dot) com [email concealed]>
>
>
>
> When WinRAR opens an archive which includes the "long file
> extension" in inside, buffer overflow occurs on the stack.
> This is a general exploitable Buffer Overflow.
There is no buffer overflow in the file header or perhaps you/i have missed
something in your paper.
I was working on this vuln since 1 week with a friend...
When we modified the header winrar said : "Invalid format" and that all.
Well the question is perhaps i'v to make a valid header that can do the
exeption. @#!:
WinRAR is like word file, it used 2 things :
- Lenght of file
- A file print (we don't know how does it work.)
Can you give more informations to us please ?
rgds
des.
Sent: Tuesday, January 21, 2003 3:42 PM
Subject: WinRAR buffer overflow vulnerability
> Hello everybody.
>
> We found vulnerability in WinRAR 3.10 or lower version,
> and reported details to Author of this Software at 2003/01/12.
>
> Fixed version 3.11 of WinRAR was released,
> so we release the Information about this vulnerability.
>
> ___________________________________________________
>
> ----------------------------------------------------------
> Synopsis: WinRAR buffer overflow vulnerability
> in file extensions
> Product: WinRAR
> Version: 3.10 or lower version
> Vender: RARLab (http://www.rarlab.com/)
> Eugene Roshal <roshal (at) rarlab (dot) com [email concealed]>
> Risk: Execute arbitrary binary code
> Remote: No
> Local: Yes
> Discovered: nesumin (at) softhome (dot) net [email concealed]
> Reported: 2003-01-12
> Published: 2003-01-21
> ----------------------------------------------------------
>
> Product Information :
>
> WinRAR is archive manager on Windows. (GUI)
> pack : RAR, ZIP
> unpack : RAR, ZIP, ACE, CAB, LZH, GZip, etc..
>
>
> OverView :
>
> When WinRAR opens an archive which includes the "long file
> extension" in inside, buffer overflow occurs on the stack.
> This is a general exploitable Buffer Overflow.
>
> If WinRAR user open malicious archive file, it has
> the dangerous possibility, such as system
> destruction, virus infection, etc...
>
> this vulnerability exists only in "winrar.exe",
> it is not command line tool.
>
> Tested :
>
> WinRAR
> WinRAR 3.11 English Edition
> WinRAR 3.10 English Edition
> WinRAR 3.00 English Edition
> WinRAR 2.90 English Edition
> and these version of Japanese Edition.
>
> Platform
> Windows98SE JP
> Windows2000 JP
> WindowsXP JP
>
> tested Zip archive files and RAR archive files that have
> a 0 size file.
>
>
> Vulnerable in tested :
>
> WinRAR 3.10
> WinRAR 3.00
> WinRAR 2.90
>
>
> Unvulnerable in tested :
>
> WinRAR 3.11
>
>
> Vendor status :
>
> Eugene Roshal <roshal (at) rarlab (dot) com [email concealed]> released at 17 January 2003
> new version 3.11 of WinRAR which fixed this problem.
> Very fast reply and fixed.
>
> See also the official announcement in RARLab site.
> (http://www.rarlab.com/)
>
> Should be version-up 3.11 or higher version soon
> if you using the vulnerable version.
>
>
> Details :
>
> When WinRAR opens an archive file, it displays the file list
> of archives on a ListView Control Window.
>
> If "long file extension" over 256 bytes exists in this file
> list , buffer overflow occurs. (may be not only inside of
> archives but also in general files)
>
> Then, RET address is in offset 260 from ".".
> (offset value includes the first ".")
>
> And ESP register pointed the address of offset 264 from ".",
> - next area of the RET address.
>
> If RET address was overwritten at the address of
> the "jmp ESP" and the next area was overwritten at
> a arbitrary binary code, the binary code can be executed.
>
> Note.
> file extension is data that is start from 0x2e and exclude
> 0x2e, 0x2f, 0x5c, 0x00.
>
> Case of offset 260, may be not enough size of using for
> binary code at 3.00en and 2.90.
>
> But offset which can control EIP exists yet, without 260.
> However, those offset values are different per a version
> and language edition.
>
> 3.00en and 2.90en and 2.90ja are 552, 3.00ja is 557,
> 3.10en is 692, 3.10ja is 697.
>
> RET address of this case may be Exception Handler's :)
>
>
> Sample code :
>
> We don't release the sample exploit source code
> in response to the request of the WinRAR author.
>
>
> Contact and Etc... :
>
> nesumin <nesumin (at) softhome (dot) net [email concealed]> discovered and tested.
>
> Cooperator: (thanks)
> melorin, imagine.
>
>
>
> ----------------------------------------------------------
>
> nesumin <nesumin (at) softhome (dot) com [email concealed]>
>
>
>
[ reply ]