SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   WinRAR Vendors:   Roshal, Eugene
WinRAR Buffer Overflow May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1005972
SecurityTracker URL:  http://securitytracker.com/id/1005972
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 23 2003
Impact:   Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.10 and prior versions
Description:   A buffer overflow vulnerability was reported in the WinRAR archive extraction utility. A remote user can create a malicious archive that, when opened, will cause arbitrary code to be executed.

It is reported that if the archive contains a file extension longer than 256 bytes, a buffer overflow can be triggered in 'winrar.exe'. The overflow occurs when the archive contents are listed in the ListView Control Window. The overflow can be exploited to cause WinRAR to crash or execute arbitrary code with the privileges of the WinRAR user.
Impact:   A remote user could create a malicious archive that will cause arbitrary code to be executed when WinRAR opens the archive.
Solution:   The vendor has released a fixed version (3.11), available at:

http://www.rarlab.com/download.htm
Vendor URL:  www.rarlab.com/rarnew.htm (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Tue, 21 Jan 2003 23:42:34 +0900
Subject:  WinRAR buffer overflow vulnerability


Hello everybody.

We found vulnerability in WinRAR 3.10 or lower version,
and reported details to Author of this Software at 2003/01/12.

Fixed version 3.11 of WinRAR was released,
so we release the Information about this vulnerability.

   ___________________________________________________

----------------------------------------------------------
   Synopsis: WinRAR buffer overflow vulnerability
             in file extensions
    Product: WinRAR
    Version: 3.10 or lower version
     Vender: RARLab (http://www.rarlab.com/)
             Eugene Roshal <roshal@rarlab.com>
       Risk: Execute arbitrary binary code
     Remote: No
      Local: Yes
 Discovered: nesumin@softhome.net
   Reported: 2003-01-12
  Published: 2003-01-21
----------------------------------------------------------

Product Information :

  WinRAR is archive manager on Windows. (GUI)
  pack   : RAR, ZIP
  unpack : RAR, ZIP, ACE, CAB, LZH, GZip, etc..


OverView :

  When WinRAR opens an archive which includes the "long file
  extension" in inside, buffer overflow occurs on the stack.
  This is a general exploitable Buffer Overflow.
  
  If WinRAR user open malicious archive file, it has
  the dangerous possibility, such as system
  destruction, virus infection, etc...

  this vulnerability exists only in "winrar.exe",
  it is not command line tool.

Tested :

  WinRAR
    WinRAR 3.11 English Edition
    WinRAR 3.10 English Edition
    WinRAR 3.00 English Edition
    WinRAR 2.90 English Edition
    and these version of Japanese Edition.
  
  Platform
    Windows98SE JP
    Windows2000 JP
    WindowsXP   JP

  tested Zip archive files and RAR archive files that have
  a 0 size file.


Vulnerable in tested :

  WinRAR 3.10
  WinRAR 3.00
  WinRAR 2.90


Unvulnerable in tested :

  WinRAR 3.11


Vendor status :

  Eugene Roshal <roshal@rarlab.com> released at 17 January 2003
  new version 3.11 of WinRAR which fixed this problem.
  Very fast reply and fixed.

  See also the official announcement in RARLab site.
  (http://www.rarlab.com/)

  Should be version-up 3.11 or higher version soon
  if you using the vulnerable version.


Details :

  When WinRAR opens an archive file, it displays the file list
  of archives on a ListView Control Window.

  If "long file extension" over 256 bytes exists in this file
  list , buffer overflow occurs. (may be not only inside of
  archives but also in general files)

  Then, RET address is in offset 260 from ".".
  (offset value includes the first ".")
  
  And ESP register pointed the address of offset 264 from ".",
  - next area of the RET address.

  If RET address was overwritten at the address of
  the "jmp ESP" and the next area was overwritten at
  a arbitrary binary code, the binary code can be executed.  

  Note.
  file extension is data that is start from 0x2e and exclude
  0x2e, 0x2f, 0x5c, 0x00.

  Case of offset 260, may be not enough size of using for
  binary code at 3.00en and 2.90.

  But offset which can control EIP exists yet, without 260.
  However, those offset values are different per a version
  and language edition.

  3.00en and 2.90en and 2.90ja are 552, 3.00ja is 557,
  3.10en is 692, 3.10ja is 697.

  RET address of this case may be Exception Handler's :)


Sample code :

  We don't release the sample exploit source code
  in response to the request of the WinRAR author.


Contact and Etc... :

  nesumin <nesumin@softhome.net>  discovered and tested.

  Cooperator: (thanks)
    melorin, imagine.



----------------------------------------------------------

nesumin <nesumin@softhome.com>


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC