[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030909182930.5CD6B440E@sitemail.everyone.net>
From: door_hUNT3R at blackcodemail.com (Bipin Gautam)
Subject: Winrar doesn't determine the actual size of
compressed files
i don't think so... even the developre agrees on the bug...
discussion took place in 01 Security Sumbission's
> forum with the developer of Winrar (Eugene Roshal) :
> URL: http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_341
----------------------
please redownload the file again!
| .o?_Oo.h?UNTER.oO_?o. |
? !?007???????????9*??! ?
--- "Rainer Gerhards" <rgerhards@...adiscon.com> wrote:
>tested with 3.20 - can't reproduce. It says "file is corrupt", I press "close" - nothing happened....
>
>Rainer
>
>> -----Original Message-----
>> From: Bipin Gautam [mailto:door_hUNT3R@...ckcodemail.com]
>> Sent: Tuesday, September 09, 2003 1:02 PM
>> To: full-disclosure@...ts.netsys.com
>> Subject: [Full-Disclosure] Winrar doesn't determine the
>> actual size of compressed files
>>
>>
>> ---[ about WinRAR]---
>> Winrar (http://www.rarsoft.com/) is one of the most popular
>> file compression utilities for Windows.
>>
>> --[summary]---
>> Winrar incorrectly determines the actual size of compressed
>> files saved in .rar format by reading it's header information.
>>
>> --[details]--
>> Recently we managed to devise a technique to spoof the header
>> and creating a valid CRC checksum. Later we found that Winrar
>> only depends on it's header information and CRC check sum to
>> determine the size and integrity of .rar files. Before
>> uncompressing .rar files, Winrar pre-allocates space
>> according to the actual file size specified in the header to
>> avoid fragmentation.But pre-allocation occurs without
>> checking the available hdd space. Then it goes extracting,
>> even if the hdd size is less than the size of the files.We
>> did a test by extracting 1GB files in a hdd with 700MB free space.
>>
>> Surprisingly, we later discover that even in detecting of
>> header corruption WinRAR doesn't enforce to avoid extraction
>> process. this lead WinRAR to believe that the actual size is
>> correct .We managed to exploit this and create a proof of
>> concept to demonstrate this problem by changing the actual
>> file size in it's header. When it starts extracting it
>> doesn't find any valid data in the archive and on the basis
>> of it's header it attempts to extract 1 gigabyte of data and
>> simply goes on writing "0x00" filling up valuable hdd space.
>>
>> --[Proof of concept]--
>> The proof of concept is a valid .rar file which is just 100
>> bytes but it's header has been forged to fool Winrar into
>> thinking that it's a 1 gigabyte file by forging it's header
>> and creating a valid CRC checksum. All versions of Winrar
>> (upto 3.20 - latest version till date) seem to be vulnerable.
>>
>> The proof of concept of .rar file can be obtained from the
>> following URL: http://www.geocities.com/visitbipin/test123.zip
>> If you extract the file Winrar will try to extract this 100
>> bytes .rar file trusting the information in it's header but
>> not on the basis of it's data integrity.
>>
>> --[Background Information]--
>> This bug was originally discovered by hUNT3R, a member of 01
>> Security Sumbission. The vendor was notified via email.
>> Further discussion took place in 01 Security Sumbission's
>> forum with the developer of Winrar (Eugene Roshal) :
>> URL: http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_341
>>
>> ---[about 01 security submission]---
>> 01s.s is a small group having experience as security
>> specialists, programmers and system administrators
>> http://www.ysgnet.com/hn.
>>
>>
>>
>> | .o?_Oo.h?UNTER.oO_?o. |
>> ? !?007???????????9*??! ?
>>
>> _____________________________________________________________
>> Secure mail ---> http://www.blackcode.com
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
_____________________________________________________________
Secure mail ---> http://www.blackcode.com
Powered by blists - more mailing lists