lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030909182930.5CD6B440E@sitemail.everyone.net>
From: door_hUNT3R at blackcodemail.com (Bipin Gautam)
Subject: Winrar doesn't determine the actual size of
    compressed files

i don't think so... even the developre agrees on the bug...
 discussion took place in 01 Security Sumbission's 
> forum with the developer of Winrar (Eugene Roshal) : 
> URL: http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_341 

----------------------
please redownload the file again!

       | .o?_Oo.h?UNTER.oO_?o. |
      ?  !?007???????????9*??!  ?


--- "Rainer Gerhards" <rgerhards@...adiscon.com> wrote:
>tested with 3.20 - can't reproduce. It says "file is corrupt", I press "close" - nothing happened....
>
>Rainer
>
>> -----Original Message-----
>> From: Bipin Gautam [mailto:door_hUNT3R@...ckcodemail.com] 
>> Sent: Tuesday, September 09, 2003 1:02 PM
>> To: full-disclosure@...ts.netsys.com
>> Subject: [Full-Disclosure] Winrar doesn't determine the 
>> actual size of compressed files
>> 
>> 
>> ---[ about WinRAR]---
>> Winrar (http://www.rarsoft.com/) is one of the most popular 
>> file compression utilities for Windows. 
>> 
>> --[summary]---
>> Winrar incorrectly determines the actual size of compressed 
>> files saved in .rar format by reading it's header information. 
>> 
>> --[details]--
>> Recently we managed to devise a technique to spoof the header 
>> and creating a valid CRC checksum. Later we found that Winrar 
>> only depends on it's header information and CRC check sum to 
>> determine the size and integrity of .rar files. Before 
>> uncompressing .rar files, Winrar pre-allocates space 
>> according to the actual file size specified in the header to 
>> avoid fragmentation.But pre-allocation occurs without 
>> checking the available hdd space. Then it goes extracting, 
>> even if the hdd size is less than the size of the files.We 
>> did a test by extracting 1GB files in a hdd with 700MB free space.
>> 
>> Surprisingly, we later discover that even in detecting of 
>> header corruption WinRAR doesn't enforce to avoid extraction 
>> process. this lead WinRAR to believe that the actual size is 
>> correct .We managed to exploit this and create a proof of 
>> concept to demonstrate this problem by changing the actual 
>> file size in it's header. When it starts extracting it 
>> doesn't find any valid data in the archive and on the basis 
>> of it's header it attempts to extract 1 gigabyte of data and 
>> simply goes on writing "0x00" filling up valuable hdd space. 
>> 
>> --[Proof of concept]-- 
>> The proof of concept is a valid .rar file which is just 100 
>> bytes but it's header has been forged to fool Winrar into 
>> thinking that it's a 1 gigabyte file by forging it's header 
>> and creating a valid CRC checksum. All versions of Winrar 
>> (upto 3.20 - latest version till date) seem to be vulnerable.
>> 
>> The proof of concept of .rar file can be obtained from the 
>> following URL: http://www.geocities.com/visitbipin/test123.zip 
>> If you extract the file Winrar will try to extract this 100 
>> bytes .rar file trusting the information in it's header but 
>> not on the basis of it's data integrity.
>> 
>> --[Background Information]--
>> This bug was originally discovered by hUNT3R, a member of 01 
>> Security Sumbission. The vendor was notified via email. 
>> Further discussion took place in 01 Security Sumbission's 
>> forum with the developer of Winrar (Eugene Roshal) : 
>> URL: http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_341 
>> 
>> ---[about 01 security submission]---
>> 01s.s is a small group having experience as security 
>> specialists, programmers and system administrators
>> http://www.ysgnet.com/hn.
>> 
>> 
>> 
>>        | .o?_Oo.h?UNTER.oO_?o. |
>>       ?  !?007???????????9*??!  ?
>> 
>> _____________________________________________________________
>> Secure mail ---> http://www.blackcode.com
>> 
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>

_____________________________________________________________
Secure mail ---> http://www.blackcode.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ