[NT] WinRAR Format String and Buffer Overflow Vulnerabilities

• Previous message: SecuriTeam: "[UNIX] Realplayer/Helixplayer Format String Paper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 11 Oct 2005 18:09:28 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  WinRAR Format String and Buffer Overflow Vulnerabilities
------------------------------------------------------------------------

SUMMARY

Secunia Research has discovered two vulnerabilities in WinRAR, which can
be exploited by malicious people to compromise a user's system.

DETAILS

Vulnerable Systems:
 * WinRAR version 3.50

Immune Systems:
 * WinRAR version 3.51

1) A format string error exists when displaying a diagnostic error message
that informs the user of an invalid filename in an UUE/XXE encoded file.
This can be exploited to execute arbitrary code when a malicious UUE/XXE
file is decoded.

Proof of Concept:
The following file will trigger the format string vulnerability in WinRAR
begin 644 %0.8x.%0.8x.%0.8x.%0.8x.%0.8xAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
`
end

2) A boundary error in UNACEV2.DLL can be exploited to cause a stack-based
buffer overflow. This allows arbitrary code execution when a malicious ACE
archive containing a file with an overly long file name is extracted.

Time Table:
30/09/2005 - Initial vendor notification
30/09/2005 - Initial vendor reply
10/10/2005 - Vendor released fixed version
11/10/2005 - Public disclosure

ADDITIONAL INFORMATION

The information has been provided by <mailto:vuln@secunia.com> Secunia
Research.
The original article can be found at:
<http://secunia.com/secunia_research/2005-53/advisory/>
http://secunia.com/secunia_research/2005-53/advisory/

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Realplayer/Helixplayer Format String Paper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]