[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Winrar doesn't determine the actual size of compressed files
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] Winrar doesn't determine the actual size of compressed files
- From: Bipin Gautam <door_hUNT3R@xxxxxxxxxxxxxxxxx>
- Date: Tue, 9 Sep 2003 04:01:31 -0700 (PDT)
---[ about WinRAR]---
Winrar (http://www.rarsoft.com/) is one of the most popular file compression
utilities for Windows.
--[summary]---
Winrar incorrectly determines the actual size of compressed files saved in .rar
format by reading it's header information.
--[details]--
Recently we managed to devise a technique to spoof the header and creating a
valid CRC checksum. Later we found that Winrar only depends on it's header
information and CRC check sum to determine the size and integrity of .rar
files. Before uncompressing .rar files, Winrar pre-allocates space according to
the actual file size specified in the header to avoid fragmentation.But
pre-allocation occurs without checking the available hdd space. Then it goes
extracting, even if the hdd size is less than the size of the files.We did a
test by extracting 1GB files in a hdd with 700MB free space.
Surprisingly, we later discover that even in detecting of header corruption
WinRAR doesn't enforce to avoid extraction process. this lead WinRAR to believe
that the actual size is correct .We managed to exploit this and create a proof
of concept to demonstrate this problem by changing the actual file size in it's
header. When it starts extracting it doesn't find any valid data in the archive
and on the basis of it's header it attempts to extract 1 gigabyte of data and
simply goes on writing "0x00" filling up valuable hdd space.
--[Proof of concept]--
The proof of concept is a valid .rar file which is just 100 bytes but it's
header has been forged to fool Winrar into thinking that it's a 1 gigabyte file
by forging it's header and creating a valid CRC checksum. All versions of
Winrar (upto 3.20 - latest version till date) seem to be vulnerable.
The proof of concept of .rar file can be obtained from the following URL:
http://www.geocities.com/visitbipin/test123.zip
If you extract the file Winrar will try to extract this 100 bytes .rar file
trusting the information in it's header but not on the basis of it's data
integrity.
--[Background Information]--
This bug was originally discovered by hUNT3R, a member of 01 Security
Sumbission. The vendor was notified via email. Further discussion took place in
01 Security Sumbission's forum with the developer of Winrar (Eugene Roshal) :
URL: http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_341
---[about 01 security submission]---
01s.s is a small group having experience as security specialists, programmers
and system administrators
http://www.ysgnet.com/hn.
| .oÛ_Oo.h»UNTER.oO_Ûo. |
§ !¹007Õ°¿ÑïÞÎß°Õæ9*½¹! ‡
_____________________________________________________________
Secure mail ---> http://www.blackcode.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html