[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Winrar doesn't determine the actual size of compressed files
- To: <door_hUNT3R@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: RE: [Full-Disclosure] Winrar doesn't determine the actual size of compressed files
- From: "Rainer Gerhards" <rgerhards@xxxxxxxxxxxxxx>
- Date: Tue, 9 Sep 2003 14:49:31 +0200
tested with 3.20 - can't reproduce. It says "file is corrupt", I press "close"
- nothing happened....
Rainer
> -----Original Message-----
> From: Bipin Gautam [mailto:door_hUNT3R@xxxxxxxxxxxxxxxxx]
> Sent: Tuesday, September 09, 2003 1:02 PM
> To: full-disclosure@xxxxxxxxxxxxxxxx
> Subject: [Full-Disclosure] Winrar doesn't determine the
> actual size of compressed files
>
>
> ---[ about WinRAR]---
> Winrar (http://www.rarsoft.com/) is one of the most popular
> file compression utilities for Windows.
>
> --[summary]---
> Winrar incorrectly determines the actual size of compressed
> files saved in .rar format by reading it's header information.
>
> --[details]--
> Recently we managed to devise a technique to spoof the header
> and creating a valid CRC checksum. Later we found that Winrar
> only depends on it's header information and CRC check sum to
> determine the size and integrity of .rar files. Before
> uncompressing .rar files, Winrar pre-allocates space
> according to the actual file size specified in the header to
> avoid fragmentation.But pre-allocation occurs without
> checking the available hdd space. Then it goes extracting,
> even if the hdd size is less than the size of the files.We
> did a test by extracting 1GB files in a hdd with 700MB free space.
>
> Surprisingly, we later discover that even in detecting of
> header corruption WinRAR doesn't enforce to avoid extraction
> process. this lead WinRAR to believe that the actual size is
> correct .We managed to exploit this and create a proof of
> concept to demonstrate this problem by changing the actual
> file size in it's header. When it starts extracting it
> doesn't find any valid data in the archive and on the basis
> of it's header it attempts to extract 1 gigabyte of data and
> simply goes on writing "0x00" filling up valuable hdd space.
>
> --[Proof of concept]--
> The proof of concept is a valid .rar file which is just 100
> bytes but it's header has been forged to fool Winrar into
> thinking that it's a 1 gigabyte file by forging it's header
> and creating a valid CRC checksum. All versions of Winrar
> (upto 3.20 - latest version till date) seem to be vulnerable.
>
> The proof of concept of .rar file can be obtained from the
> following URL: http://www.geocities.com/visitbipin/test123.zip
> If you extract the file Winrar will try to extract this 100
> bytes .rar file trusting the information in it's header but
> not on the basis of it's data integrity.
>
> --[Background Information]--
> This bug was originally discovered by hUNT3R, a member of 01
> Security Sumbission. The vendor was notified via email.
> Further discussion took place in 01 Security Sumbission's
> forum with the developer of Winrar (Eugene Roshal) :
> URL: http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_341
>
> ---[about 01 security submission]---
> 01s.s is a small group having experience as security
> specialists, programmers and system administrators
> http://www.ysgnet.com/hn.
>
>
>
> | .oÛ_Oo.h»UNTER.oO_Ûo. |
> § !¹007Õ°¿ÑïÞÎß°Õæ9*½¹! ‡
>
> _____________________________________________________________
> Secure mail ---> http://www.blackcode.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html