[NT] WinRAR Buffer Overflow Vulnerability (Long Extension)
From: support@securiteam.com
Date: 01/23/03
- Previous message: support@securiteam.com: "[NEWS] Blackboard Password Retrieval (search.pl)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 23 Jan 2003 15:10:01 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
WinRAR Buffer Overflow Vulnerability (Long Extension)
------------------------------------------------------------------------
SUMMARY
<http://www.rarlab.com/> WinRAR is archive manager on Windows (GUI). When
WinRAR opens, an archive that includes the "long file extension" in
inside, buffer overflow occurs on the stack. This is a general exploitable
Buffer Overflow. If WinRAR user opens a malicious archive file, it has the
dangerous possibility, such as system destruction, virus infection, etc.
This vulnerability exists only in "winrar.exe", it is not command line
tool.
DETAILS
Vulnerable systems:
* WinRAR version 3.10 and prior
Immune systems:
* WinRAR version 3.11
When WinRAR opens an archive file, it displays the file list of archives
on a ListView Control Window.
If "long file extension" over 256 bytes exists in this file list, buffer
overflow occurs (May be not only inside of archives but also in general
files).
Then, RET address is in the offset of 260 from "." (Offset value includes
the first ".").
Further, the ESP register points to the address of the offset 264 from
".", next area of the RET address.
If RET address is overwritten at the address of the "jmp ESP" and the next
area was overwritten at an arbitrary binary code, the binary code can be
executed.
Note:
File extension is data that is start from 0x2e and exclude 0x2e, 0x2f,
0x5c, 0x00.
Case of offset 260, may be not enough size of using for binary code at
3.00en and 2.90.
However, offset that can control EIP exists yet, without 260. However,
those offset values are different per a version and language edition.
Version 3.00en, 2.90en and 2.90ja are 552, 3.00ja is 557, 3.10en is 692,
and 3.10ja is 697.
Vendor status:
<mailto:roshal@rarlab.com> Eugene Roshal released at 17 January 2003 new
version 3.11 of WinRAR which fixed this problem. Very fast response and
fix.
ADDITIONAL INFORMATION
The information has been provided by <mailto:nesumin@softhome.net>
nesumin.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NT] Flaw in Outlook 2002's Way of Handling V1 Exchange Server Security Certificates Leads To Information Disclosure"
- Previous message: support@securiteam.com: "[NEWS] Blackboard Password Retrieval (search.pl)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
