lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: Bojan.Zdrnja at LSS.hr (Bojan Zdrnja) Subject: Winrar doesn't determine the actual size of compressed files This looks very bad to me. I've tested it on a Linux machine with unrar 2.71, which comes with most distributions. Same unrar binary is used by anti-virus scanner. Result is the following: $ unrar x -v test123.rar UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal Extracting from test123.rar Extracting MAIL.DWN MAIL.DWN - CRC failed Total errors: 1 As CRC failed, unrar will delete this file immediately but during the extraction it'll create nice 1GB file. As I wrote above, same unrar binary is used by anti-virus scanner (amavisd-new in this case), so this is creates a very nasty possibility of DoS attack on servers. Solution is to download and install the latest version from WinRAR's Website: http://www.rarlab.com/rar_add.htm Particulary, for Unix/Linux get it's source: http://www.rarlab.com/rar/unrarsrc-3.2.3.tar.gz Regards, Bojan Zdrnja > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of > Rainer Gerhards > Sent: Wednesday, 10 September 2003 12:46 a.m. > To: door_hUNT3R@...ckcodemail.com; full-disclosure@...ts.netsys.com > Cc: Andre Lorbach > Subject: RE: [Full-Disclosure] Winrar doesn't determine the > actual size of compressed files > > > This could have very bad implictions on anti-virus software > that extracts rar files. As a DoS, you could send, well, some > copies of the 100 byte file... I'll try to see if that works > with some of the stuff that we have. If it is not just > WinRar, this could be *really* bad... > > Rainer > > > -----Original Message----- > > From: Bipin Gautam [mailto:door_hUNT3R@...ckcodemail.com] > > Sent: Tuesday, September 09, 2003 1:02 PM > > To: full-disclosure@...ts.netsys.com > > Subject: [Full-Disclosure] Winrar doesn't determine the > > actual size of compressed files > > > > > > ---[ about WinRAR]--- > > Winrar (http://www.rarsoft.com/) is one of the most popular > > file compression utilities for Windows. > > > > --[summary]--- > > Winrar incorrectly determines the actual size of compressed > > files saved in .rar format by reading it's header information. > > > > --[details]-- > > Recently we managed to devise a technique to spoof the header > > and creating a valid CRC checksum. Later we found that Winrar > > only depends on it's header information and CRC check sum to > > determine the size and integrity of .rar files. Before > > uncompressing .rar files, Winrar pre-allocates space > > according to the actual file size specified in the header to > > avoid fragmentation.But pre-allocation occurs without > > checking the available hdd space. Then it goes extracting, > > even if the hdd size is less than the size of the files.We > > did a test by extracting 1GB files in a hdd with 700MB free space. > > > > Surprisingly, we later discover that even in detecting of > > header corruption WinRAR doesn't enforce to avoid extraction > > process. this lead WinRAR to believe that the actual size is > > correct .We managed to exploit this and create a proof of > > concept to demonstrate this problem by changing the actual > > file size in it's header. When it starts extracting it > > doesn't find any valid data in the archive and on the basis > > of it's header it attempts to extract 1 gigabyte of data and > > simply goes on writing "0x00" filling up valuable hdd space. > > > > --[Proof of concept]-- > > The proof of concept is a valid .rar file which is just 100 > > bytes but it's header has been forged to fool Winrar into > > thinking that it's a 1 gigabyte file by forging it's header > > and creating a valid CRC checksum. All versions of Winrar > > (upto 3.20 - latest version till date) seem to be vulnerable. > > > > The proof of concept of .rar file can be obtained from the > > following URL: http://www.geocities.com/visitbipin/test123.zip > > If you extract the file Winrar will try to extract this 100 > > bytes .rar file trusting the information in it's header but > > not on the basis of it's data integrity. > > > > --[Background Information]-- > > This bug was originally discovered by hUNT3R, a member of 01 > > Security Sumbission. The vendor was notified via email. > > Further discussion took place in 01 Security Sumbission's > > forum with the developer of Winrar (Eugene Roshal) : > > URL: > http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_34 1 > > ---[about 01 security submission]--- > 01s.s is a small group having experience as security > specialists, programmers and system administrators > http://www.ysgnet.com/hn. > > > > | .o?_Oo.h?UNTER.oO_?o. | > ? !?007???????????9*??! ? > > _____________________________________________________________ > Secure mail ---> http://www.blackcode.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists