RE: Winrar doesn't determine the actual size of compressed files

["Rainer Gerhards" <rgerhards () hq adiscon com>]

tested with 3.20 - can't reproduce. It says "file is corrupt", I press "close" - nothing happened....

Rainer

> -----Original Message-----
> From: Bipin Gautam [mailto:door_hUNT3R () blackcodemail com] 
> Sent: Tuesday, September 09, 2003 1:02 PM
> To: full-disclosure () lists netsys com
> Subject: [Full-disclosure] Winrar doesn't determine the 
> actual size of compressed files
>
>
> ---[ about WinRAR]---
> Winrar (http://www.rarsoft.com/) is one of the most popular 
> file compression utilities for Windows. 
>
> --[summary]---
> Winrar incorrectly determines the actual size of compressed 
> files saved in .rar format by reading it's header information. 
>
> --[details]--
> Recently we managed to devise a technique to spoof the header 
> and creating a valid CRC checksum. Later we found that Winrar 
> only depends on it's header information and CRC check sum to 
> determine the size and integrity of .rar files. Before 
> uncompressing .rar files, Winrar pre-allocates space 
> according to the actual file size specified in the header to 
> avoid fragmentation.But pre-allocation occurs without 
> checking the available hdd space. Then it goes extracting, 
> even if the hdd size is less than the size of the files.We 
> did a test by extracting 1GB files in a hdd with 700MB free space.
>
> Surprisingly, we later discover that even in detecting of 
> header corruption WinRAR doesn't enforce to avoid extraction 
> process. this lead WinRAR to believe that the actual size is 
> correct .We managed to exploit this and create a proof of 
> concept to demonstrate this problem by changing the actual 
> file size in it's header. When it starts extracting it 
> doesn't find any valid data in the archive and on the basis 
> of it's header it attempts to extract 1 gigabyte of data and 
> simply goes on writing "0x00" filling up valuable hdd space. 
>
> --[Proof of concept]-- 
> The proof of concept is a valid .rar file which is just 100 
> bytes but it's header has been forged to fool Winrar into 
> thinking that it's a 1 gigabyte file by forging it's header 
> and creating a valid CRC checksum. All versions of Winrar 
> (upto 3.20 - latest version till date) seem to be vulnerable.
>
> The proof of concept of .rar file can be obtained from the 
> following URL: http://www.geocities.com/visitbipin/test123.zip 
> If you extract the file Winrar will try to extract this 100 
> bytes .rar file trusting the information in it's header but 
> not on the basis of it's data integrity.
>
> --[Background Information]--
> This bug was originally discovered by hUNT3R, a member of 01 
> Security Sumbission. The vendor was notified via email. 
> Further discussion took place in 01 Security Sumbission's 
> forum with the developer of Winrar (Eugene Roshal) : 
> URL: http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_341 
>
> ---[about 01 security submission]---
> 01s.s is a small group having experience as security 
> specialists, programmers and system administrators
> http://www.ysgnet.com/hn.
>
>
>
>        | .oÛ_Oo.h»UNTER.oO_Ûo. |
>       §  !¹007Õ°¿ÑïÞÎß°Õæ9*½¹!  ‡
>
> _____________________________________________________________
> Secure mail ---> http://www.blackcode.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html