lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <004801c37726$dc61b7c0$8f04d882@bzdrnja>
Date: Wed, 10 Sep 2003 11:05:24 +1200
From: "Bojan Zdrnja" <Bojan.Zdrnja@....hr>
To: "'Rainer Gerhards'" <rgerhards@...adiscon.com>,
   <door_hUNT3R@...ckcodemail.com>, <full-disclosure@...ts.netsys.com>
Cc: "'Andre Lorbach'" <alorbach@....adiscon.com>, <bugtraq@...urityfocus.com>
Subject: RE: Winrar doesn't determine the actual size of compressed files


This looks very bad to me.

I've tested it on a Linux machine with unrar 2.71, which comes with most distributions. Same unrar binary is used by anti-virus scanner.

Result is the following:

$ unrar x -v test123.rar

UNRAR 2.71 freeware      Copyright (c) 1993-2000 Eugene Roshal


Extracting from test123.rar

Extracting  MAIL.DWN
MAIL.DWN             - CRC failed
Total errors: 1

As CRC failed, unrar will delete this file immediately but during the extraction it'll create nice 1GB file.

As I wrote above, same unrar binary is used by anti-virus scanner (amavisd-new in this case), so this is creates a very nasty possibility of DoS attack on servers.

Solution is to download and install the latest version from WinRAR's Website:

http://www.rarlab.com/rar_add.htm

Particulary, for Unix/Linux get it's source:

http://www.rarlab.com/rar/unrarsrc-3.2.3.tar.gz


Regards,

Bojan Zdrnja


> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Rainer Gerhards
> Sent: Wednesday, 10 September 2003 12:46 a.m.
> To: door_hUNT3R@...ckcodemail.com; full-disclosure@...ts.netsys.com
> Cc: Andre Lorbach
> Subject: RE: [Full-Disclosure] Winrar doesn't determine the 
> actual size of compressed files
> 
> 
> This could have very bad implictions on anti-virus software 
> that extracts rar files. As a DoS, you could send, well, some 
> copies of the 100 byte file... I'll try to see if that works 
> with some of the stuff that we have. If it is not just 
> WinRar, this could be *really* bad...
> 
> Rainer
> 
> > -----Original Message-----
> > From: Bipin Gautam [mailto:door_hUNT3R@...ckcodemail.com] 
> > Sent: Tuesday, September 09, 2003 1:02 PM
> > To: full-disclosure@...ts.netsys.com
> > Subject: [Full-Disclosure] Winrar doesn't determine the 
> > actual size of compressed files
> > 
> > 
> > ---[ about WinRAR]---
> > Winrar (http://www.rarsoft.com/) is one of the most popular 
> > file compression utilities for Windows. 
> > 
> > --[summary]---
> > Winrar incorrectly determines the actual size of compressed 
> > files saved in .rar format by reading it's header information. 
> > 
> > --[details]--
> > Recently we managed to devise a technique to spoof the header 
> > and creating a valid CRC checksum. Later we found that Winrar 
> > only depends on it's header information and CRC check sum to 
> > determine the size and integrity of .rar files. Before 
> > uncompressing .rar files, Winrar pre-allocates space 
> > according to the actual file size specified in the header to 
> > avoid fragmentation.But pre-allocation occurs without 
> > checking the available hdd space. Then it goes extracting, 
> > even if the hdd size is less than the size of the files.We 
> > did a test by extracting 1GB files in a hdd with 700MB free space.
> > 
> > Surprisingly, we later discover that even in detecting of 
> > header corruption WinRAR doesn't enforce to avoid extraction 
> > process. this lead WinRAR to believe that the actual size is 
> > correct .We managed to exploit this and create a proof of 
> > concept to demonstrate this problem by changing the actual 
> > file size in it's header. When it starts extracting it 
> > doesn't find any valid data in the archive and on the basis 
> > of it's header it attempts to extract 1 gigabyte of data and 
> > simply goes on writing "0x00" filling up valuable hdd space. 
> > 
> > --[Proof of concept]-- 
> > The proof of concept is a valid .rar file which is just 100 
> > bytes but it's header has been forged to fool Winrar into 
> > thinking that it's a 1 gigabyte file by forging it's header 
> > and creating a valid CRC checksum. All versions of Winrar 
> > (upto 3.20 - latest version till date) seem to be vulnerable.
> > 
> > The proof of concept of .rar file can be obtained from the 
> > following URL: http://www.geocities.com/visitbipin/test123.zip 
> > If you extract the file Winrar will try to extract this 100 
> > bytes .rar file trusting the information in it's header but 
> > not on the basis of it's data integrity.
> > 
> > --[Background Information]--
> > This bug was originally discovered by hUNT3R, a member of 01 
> > Security Sumbission. The vendor was notified via email. 
> > Further discussion took place in 01 Security Sumbission's 
> > forum with the developer of Winrar (Eugene Roshal) : 
> > URL: 
> http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_34
1 
> 
> ---[about 01 security submission]---
> 01s.s is a small group having experience as security 
> specialists, programmers and system administrators
> http://www.ysgnet.com/hn.
> 
> 
> 
>        | .oÛ_Oo.h»UNTER.oO_Ûo. |
>       §  !¹007Õ°¿ÑïÞÎß°Õæ9*½¹!  ‡
> 
> _____________________________________________________________
> Secure mail ---> http://www.blackcode.com
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ