| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: rgerhards at hq.adiscon.com (Rainer Gerhards) Subject: Winrar doesn't determine the actual size of compressed files tested with 3.20 - can't reproduce. It says "file is corrupt", I press "close" - nothing happened.... Rainer > -----Original Message----- > From: Bipin Gautam [mailto:door_hUNT3R@...ckcodemail.com] > Sent: Tuesday, September 09, 2003 1:02 PM > To: full-disclosure@...ts.netsys.com > Subject: [Full-Disclosure] Winrar doesn't determine the > actual size of compressed files > > > ---[ about WinRAR]--- > Winrar (http://www.rarsoft.com/) is one of the most popular > file compression utilities for Windows. > > --[summary]--- > Winrar incorrectly determines the actual size of compressed > files saved in .rar format by reading it's header information. > > --[details]-- > Recently we managed to devise a technique to spoof the header > and creating a valid CRC checksum. Later we found that Winrar > only depends on it's header information and CRC check sum to > determine the size and integrity of .rar files. Before > uncompressing .rar files, Winrar pre-allocates space > according to the actual file size specified in the header to > avoid fragmentation.But pre-allocation occurs without > checking the available hdd space. Then it goes extracting, > even if the hdd size is less than the size of the files.We > did a test by extracting 1GB files in a hdd with 700MB free space. > > Surprisingly, we later discover that even in detecting of > header corruption WinRAR doesn't enforce to avoid extraction > process. this lead WinRAR to believe that the actual size is > correct .We managed to exploit this and create a proof of > concept to demonstrate this problem by changing the actual > file size in it's header. When it starts extracting it > doesn't find any valid data in the archive and on the basis > of it's header it attempts to extract 1 gigabyte of data and > simply goes on writing "0x00" filling up valuable hdd space. > > --[Proof of concept]-- > The proof of concept is a valid .rar file which is just 100 > bytes but it's header has been forged to fool Winrar into > thinking that it's a 1 gigabyte file by forging it's header > and creating a valid CRC checksum. All versions of Winrar > (upto 3.20 - latest version till date) seem to be vulnerable. > > The proof of concept of .rar file can be obtained from the > following URL: http://www.geocities.com/visitbipin/test123.zip > If you extract the file Winrar will try to extract this 100 > bytes .rar file trusting the information in it's header but > not on the basis of it's data integrity. > > --[Background Information]-- > This bug was originally discovered by hUNT3R, a member of 01 > Security Sumbission. The vendor was notified via email. > Further discussion took place in 01 Security Sumbission's > forum with the developer of Winrar (Eugene Roshal) : > URL: http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_341 > > ---[about 01 security submission]--- > 01s.s is a small group having experience as security > specialists, programmers and system administrators > http://www.ysgnet.com/hn. > > > > | .o?_Oo.h?UNTER.oO_?o. | > ? !?007???????????9*??! ? > > _____________________________________________________________ > Secure mail ---> http://www.blackcode.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists