[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Winrar doesn't determine the actual size of compressed files

To: rgerhards@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] Winrar doesn't determine the actual size of compressed files
From: Bipin Gautam <door_hUNT3R@xxxxxxxxxxxxxxxxx>
Date: Tue, 9 Sep 2003 11:29:29 -0700 (PDT)

i don't think so... even the developre agrees on the bug...
 discussion took place in 01 Security Sumbission's 
> forum with the developer of Winrar (Eugene Roshal) : 
> URL: http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_341 

----------------------
please redownload the file again!

       | .oÛ_Oo.h»UNTER.oO_Ûo. |
      §  !¹007Õ°¿ÑïÞÎß°Õæ9*½¹!  ‡


--- "Rainer Gerhards" <rgerhards@xxxxxxxxxxxxxx> wrote:
>tested with 3.20 - can't reproduce. It says "file is corrupt", I press "close" 
>- nothing happened....
>
>Rainer
>
>> -----Original Message-----
>> From: Bipin Gautam [mailto:door_hUNT3R@xxxxxxxxxxxxxxxxx] 
>> Sent: Tuesday, September 09, 2003 1:02 PM
>> To: full-disclosure@xxxxxxxxxxxxxxxx
>> Subject: [Full-Disclosure] Winrar doesn't determine the 
>> actual size of compressed files
>> 
>> 
>> ---[ about WinRAR]---
>> Winrar (http://www.rarsoft.com/) is one of the most popular 
>> file compression utilities for Windows. 
>> 
>> --[summary]---
>> Winrar incorrectly determines the actual size of compressed 
>> files saved in .rar format by reading it's header information. 
>> 
>> --[details]--
>> Recently we managed to devise a technique to spoof the header 
>> and creating a valid CRC checksum. Later we found that Winrar 
>> only depends on it's header information and CRC check sum to 
>> determine the size and integrity of .rar files. Before 
>> uncompressing .rar files, Winrar pre-allocates space 
>> according to the actual file size specified in the header to 
>> avoid fragmentation.But pre-allocation occurs without 
>> checking the available hdd space. Then it goes extracting, 
>> even if the hdd size is less than the size of the files.We 
>> did a test by extracting 1GB files in a hdd with 700MB free space.
>> 
>> Surprisingly, we later discover that even in detecting of 
>> header corruption WinRAR doesn't enforce to avoid extraction 
>> process. this lead WinRAR to believe that the actual size is 
>> correct .We managed to exploit this and create a proof of 
>> concept to demonstrate this problem by changing the actual 
>> file size in it's header. When it starts extracting it 
>> doesn't find any valid data in the archive and on the basis 
>> of it's header it attempts to extract 1 gigabyte of data and 
>> simply goes on writing "0x00" filling up valuable hdd space. 
>> 
>> --[Proof of concept]-- 
>> The proof of concept is a valid .rar file which is just 100 
>> bytes but it's header has been forged to fool Winrar into 
>> thinking that it's a 1 gigabyte file by forging it's header 
>> and creating a valid CRC checksum. All versions of Winrar 
>> (upto 3.20 - latest version till date) seem to be vulnerable.
>> 
>> The proof of concept of .rar file can be obtained from the 
>> following URL: http://www.geocities.com/visitbipin/test123.zip 
>> If you extract the file Winrar will try to extract this 100 
>> bytes .rar file trusting the information in it's header but 
>> not on the basis of it's data integrity.
>> 
>> --[Background Information]--
>> This bug was originally discovered by hUNT3R, a member of 01 
>> Security Sumbission. The vendor was notified via email. 
>> Further discussion took place in 01 Security Sumbission's 
>> forum with the developer of Winrar (Eugene Roshal) : 
>> URL: http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_341 
>> 
>> ---[about 01 security submission]---
>> 01s.s is a small group having experience as security 
>> specialists, programmers and system administrators
>> http://www.ysgnet.com/hn.
>> 
>> 
>> 
>>        | .oÛ_Oo.h»UNTER.oO_Ûo. |
>>       §  !¹007Õ°¿ÑïÞÎß°Õæ9*½¹!  ‡
>> 
>> _____________________________________________________________
>> Secure mail ---> http://www.blackcode.com
>> 
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>

_____________________________________________________________
Secure mail ---> http://www.blackcode.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] Interesting traffic
Next by Date: RE: [Full-Disclosure] Israeli boffins crack GSM code
Previous by thread: [Full-Disclosure] Denial of Service Vulnerability in NFS XDR decoding Update
Next by thread: RE: [Full-Disclosure] Winrar doesn't determine the actual size of compressed files
Index(es):
- Date
- Thread