-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +------------------------------------------------------------------------+ | ....... | | ..''xxxxxxxxxxxxxxx'... | | ..'xxxxxxxxxxxxxxxxxxxxxxxxxxx.. | | ..'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'. | | .'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'''.......'. | | .'xxxxxxxxxxxxxxxxxxxxx''...... ... .. | | .xxxxxxxxxxxxxxxxxx'... ........ .'. | | 'xxxxxxxxxxxxxxx'...... '. | | 'xxxxxxxxxxxxxx'..'x.. .x. | | .xxxxxxxxxxxx'...'.. ... .' | | 'xxxxxxxxx'.. . .. .x. | | xxxxxxx'. .. x. | | xxxx'. .... x x. | | 'x'. ...'xxxxxxx'. x .x. | | .x'. .'xxxxxxxxxxxxxx. '' .' | | .xx. .'xxxxxxxxxxxxxxxx. .'xx'''. .' | | .xx.. 'xxxxxxxxxxxxxxxx' .'xxxxxxxxx''. | | .'xx'. .'xxxxxxxxxxxxxxx. ..'xxxxxxxxxxxx' | | .xxx'. .xxxxxxxxxxxx'. .'xxxxxxxxxxxxxx'. | | .xxxx'.'xxxxxxxxx'. xxx'xxxxxxxxxx'. | | .'xxxxxxx'.... ...xxxxxxx'. | | ..'xxxxx'.. ..xxxxx'.. | | ....'xx'.....''''... | | | | CubilFelino Security Research Lab | | proudly presents... | +------------------------------------------------------------------------+ ======================================================= Security Advisory: WinRAR v3.80 - ZIP Filename Spoofing ======================================================= Security Researcher Info: ========================= Discovered by: Christian Navarrete (chr1x) - México Website URL: http://chr1x.sectester.net Contact E-mail: chr1x@sectester.net OpenPGP key id: 0x3765F4F8 OpenPGP fingerprint: 58AB CB8C DCF4 8B2E 40EF 11E8 4354 91DF 3765 F4F8 Vulnerability General Information: ================================== Discovery date: 30/08/2009 (Good gift of Birthday! :) Advisory URL: http://advisory.sectester.net/chr1xpwnadv-winrar-zip-filename-spoofing.pdf Vulnerability on Video: http://www.youtube.com/user/sectester PoC/Exploit Availability: http://chr1x.sectester.net/winrar380_PoC.zip Software: WinRAR Version: 3.80 Security risk: Low Exploitable from: Local Vulnerability: ZIP Filename spoofing Release mode: Coordinated disclosure. Vendor: http://www.rarlabs.com Status: Current version (WinRAR v3.80) not patched, next engine version (WinRAR v.3.90) will be patched CWE Weakness ID: CWE-372: Incomplete Internal State Distinction (1.5) CVE ID: None provided Disclosure Policy: http://www.wiretrip.net/rfp/policy.html Product Description: ==================== (Taken from Wikipedia) WinRAR is a shareware file archiver and data compression utility developed by Eugene Roshal, and first released around 1995. It is one of the few applications that is able to create RAR archives natively, because the encoding method is held to be proprietary. WinRAR supports the following features: * Complete support for RAR and ZIP archives, and unpacking of ARJ, LZH, TAR, GZ, ACE, UUE, BZ2, JAR, ISO, EXE, 7z, and Z archives. Future versions of WinRAR are planned to include 7z creation. * The ability to create self-extracting and multi-volume (split) archives. * Data redundancy is provided via recovery records and recovery volumes, allowing reconstruction of damaged archives. * Support for advanced NTFS file system options and Unicode in file names. * Optional archive encryption using AES (Advanced Encryption Standard) with a 128-bit key. I. Vulnerability Summary: ========================= WinRAR v3.80 is prone to a Filename Spoofing contained inside a malformed .ZIP file. II. Vulnerability Description: ============================== ZIP File Spoofing can be done by to a mismatch of file name in the file list in WinRAR GUI shell and in extracted file. A real exploitation of this issue is in the following scenario: When a user opens the malformed file using WinRAR v3.80 will see filename (example: imagefile.gif) but when files are extracted, the extracted file could be another one, not the original imagefile.gif. There are two parts of code looking for the start of ZIP central directory. One in extraction routine and other in file list browsing. they used slightly different approaches, so one of the first filename record found and another for the "hidden" file. They must be exactly the same and both find the same file names. ZIP format contains two copies of file name, one in local file header and another in central directory, for redundancy purpose. If file names mismatch, it must not be a reason to abort extraction, because it would defeat the entire purpose of having two file name copies. It is up to unzip implementation to choose a name, but typically, if can't detect which of records is more valid, the central directory record has precedence over local file header, because it contains more information about a file. III. Potential Attack Vector: ============================= An attacker can use this vulnerability in order to hide malware and perform social engineering attacks to perform a successfull Internet user targeting attack. IV. Risk Assessment: ==================== Likelihood of exploitation:Low * Since the user should interact a little bit with this, obviously attack vectors are here, but differs on the context and many things in order to get it done. Impact: Low * Since if a user receive this (doesn't matter the way) when he/she open the file can see a filename thats isn't the one that can be extracted. Overall risk: Low V. Researcher & Vendor Communication for Disclosure timeline ============================================== DD/MM/YYYY * 30/08/2009:-->Researcher sent a vulnerability notification e-mail to vendor to: info@win-rar.com and support@win-rar.com * 31/08/2009:<--Response is giving by vendor to researcher which contains special email to send vulnerability details. * 31/08/2009:-->Researcher sent all the security testing analysis and technical details to the vendor. * 31/08/2009:<--Vendor will investigate further, noting that will take some days of investigation. * 01/09/2009:<--Vendor gives contact explaining that the fix will be in the next release of WinRAR 3.91, maybe months or sooner, also, vendor ask to researcher if wants a preliminary version of the fixed WinRAR.exe file. * 03/09/2009<--Vendor sent partially corrected file in order to be security tested to ensure that the fix was applies correctly. * 04/09/2009-->Researcher notifies the vendor that some maded tests was performed but some things should be tested again * 05/09/2009<--Vendor & Researcher perform technical analysis and risk assessment in order to determine the risk level for the issue, retest is performed * 05/09/2009-->Researcher inform vendor that the issue is now fixed * 05/09/2009<--Vendor comment that the fix will be released with WinRAR v3.91, also, the vulnerability title was determined. * 05/09/2009<--Vendor ask Researcher that they wants that the vulnerability announce would be after a month to have some time to prepare the next release. * 05/09/2009-->Researcher write the Security Advisory and send it to the vendor for final review Thanks to Eugene Roshal by his good coordination provided & a very quick response to me. Secure email delivery: ====================== If you need something to say and want a secure communication, please download my Public Key from the following URL: http://advisory.sectester.net/chr1x_publickey.asc Shouts: ====== Conejita Hermosa (by support me in the large nights of researching :D), Pedrito (a.k.a ril0), LogicalBeat, nitr0us, alt3kx, and special thanks to Naibing Du & Brian S.K. by your full support and friendship in the long of those years. About CubilFelino Security Research Lab ========================================== It's very peaceful (underground), but dark place in Mexico which has a lot of desktop and laptop computers, (hardc0re) network hardware, wire/unwired stuff, some hijacked Internet connections, music gear and studio (midi controllers and synthesizers), Psytrance/Drum & Bass music almost always resounding the walls, and why not? a very very nice aquarium with river monsters: piranhas, oscar fish & a plecostomus. Also, it's equipped with a little fridge full of munchies, alcohol and caffeine; with a box of cigarretes on the desktop and a lot of books that can't imagine about (in) security, martial-arts (yeah! we love Ninjutsu hacking) & programming, is the best place to do R+D for the wonderful, exciting & fascinating world of computers and security. Here, Hacking is sublime ! - -- - --- [CubilFelino Security Research Lab - http://chr1x.sectester.net ] "The computer security is an art form. It's the ultimate martial art." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJKwY7LAAoJEENUkd83ZfT4DWkH/0WJ1vgee7nqoYV1WwSJZDfp FEeQpYMi9CpDXr7CjkfS54xuGDCZKnnlwIOYMOe/szDjgVNItX+KWZMfetYdKmrM 8Yj638wP+GqVm/zUTx77wLHEbIGu2jI+sPuJozgc3srt9NTJibMRtER0nPgi/o1p jMqba4gHYCel8+jlx8tt9DFP6GA9NtqsIBqZMSEj5M7hWDeDYOw8utoZHxTuCYAs vWZk5k7pBEel/qWZ0/bxXH+N/FYXTHiVWBxDHz49DWR4nwqg17lk6B03j3uecVD+ kdACWo4LHncvrCqGw33Y+IsBcioeLPRLGONbj+EcMKQbTuj3Vf2TTYlGHSoBlEg= =KGWw -----END PGP SIGNATURE-----