what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WinRAR-filename.txt

WinRAR-filename.txt
Posted Dec 28, 2005
Authored by agoanywhere

WinRAR 3.51 suffers from a buffer overflow if certain characters are present in the name of the file(s) to be compressed.

tags | advisory, overflow
SHA-256 | ddda7ec6ded5b8ebfbbff4d745a49f1164ac744b2175fa059240329761a004d4

WinRAR-filename.txt

Change Mirror Download
Date:
Dec. 21 2005
Rating:
low
Affected Version:
WinRAR 3.51 English Version
Other versions may also be affected.
Tested Entironment:
Windows XP Korea Version(full patched without SP.)
WinRAR 3.51 English Version
A file with Chinese Filename

Description:
When we use "Add to archive" command in right click menu to create a compressed file ,if there are some non-default-codepage and non-ansi characters in the name of the file(s) to be compressed ,a buffer overflow fault will occured.

details:

[1]:%eax should be sum of filename-base and strlen ,but %eax will be incorrect in the entironment mention above .maybe it's because WinRAR can't get the right strlen [reason is not confirmed]
[2]:the WideCharToMultiByte API will overwrite the pointer referenced by [1]

0048CFAE mov edx,dword ptr ds:[4a330c]
0048CFB4 mov eax, edx
0048D028 mov ecx, [eax] ; [1]
0048D08B mov [edx+ecx], ebx

004A330C 2C AF A0 00

00A0AEEC 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64
00A0AEFC 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69
00A0AF0C 73 74 72 61 74 6F 72 5C B9 D9 C5 C1 20 C8 AD B8
00A0AF1C E9 5C 3F E9 A9 3F 3F 3F D9 A5 3F 3F 3F 3F DB F5
00A0AF2C 2E 64 6F 63

----------------------

0040ACC4 mov ecx, 10000000h ; cbMultiByte
0040ACC9 mov edx, [ebp+lpMultiByteStr] ; lpMultiByteStr
0040ACCF mov eax, esi ; lpWideCharStr
0040ACD1 call sub_40F874

0040F874 push ebx
0040F875 push esi
0040F876 mov esi,ecx
0040F878 mov bl,1
0040F87A push 0 ; /pDefaultCharUsed = NULL
0040F87C push 0 ; |pDefaultChar = NULL
0040F87E push esi ; |MultiByteCount = 10000000h
0040F87F push edx ; |MultiByteStr = [2]
0040F880 push -1 ; |WideCharCount = FFFFFFFFh
0040F882 push eax ; |WideCharStr
0040F883 push 0 ; |Options = 0
0040F885 push 0 ; |CodePage = CP_ACP
0040F887 call WideCharToMultiByte ; \WideCharToMultiByte

etc
for this vulnerability is difficult to exploit, I post it here directly without notifying the vendor.

about me:
Email : agoanywhere <at> hotmail <dot> com
Temporarily at CIS Lab , SJTU , Shanghai , China
CIS Lab is short for Cryptography and Information Security Lab


best regards
c.y. wang
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close