WinRAR v3.80 - ZIP Filename Spoofing

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
+------------------------------------------------------------------------+
|                                 .......                                |
|                         ..xxxxxxxxxxxxxxx...                        |
|                    ..xxxxxxxxxxxxxxxxxxxxxxxxxxx..                    |
|                 ..xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.                 |
|               .xxxxxxxxxxxxxxxxxxxxxxxxxxxx........               |
|             .xxxxxxxxxxxxxxxxxxxxx......        ...  ..             |
|            .xxxxxxxxxxxxxxxxxx...         ........      ..           |
|           xxxxxxxxxxxxxxx......                          .          |
|          xxxxxxxxxxxxxx..x..                            .x.         |
|         .xxxxxxxxxxxx.....                  ...           .         |
|         xxxxxxxxx..  .                          ..        .x.        |
|         xxxxxxx.                                  ..        x.        |
|         xxxx.                ....                  x        x.        |
|         x.            ...xxxxxxx.               x       .x.        |
|         .x.         .xxxxxxxxxxxxxx.                    .         |
|          .xx.      .xxxxxxxxxxxxxxxx.           .xx.  .          |
|           .xx..    xxxxxxxxxxxxxxxx          .xxxxxxxxx.          |
|            .xx.  .xxxxxxxxxxxxxxx.      ..xxxxxxxxxxxx            |
|              .xxx.  .xxxxxxxxxxxx.    .xxxxxxxxxxxxxx.             |
|                .xxxx.xxxxxxxxx.      xxxxxxxxxxxxx.               |
|                  .xxxxxxx....          ...xxxxxxx.                  |
|                     ..xxxxx..         ..xxxxx..                     |
|                          ....xx........                          |
|                                                                        |
|                    CubilFelino Security Research Lab                   |
|                            proudly presents...                         |
+------------------------------------------------------------------------+

=======================================================
Security Advisory: WinRAR v3.80 - ZIP Filename Spoofing
=======================================================

Security Researcher Info:
=========================

Discovered by:        Christian Navarrete (chr1x) - México
Website URL:        http://chr1x.sectester.net
Contact E-mail:        chr1x@sectester.net
OpenPGP key id:     0x3765F4F8
OpenPGP fingerprint:    58AB CB8C DCF4 8B2E 40EF 11E8 4354 91DF 3765 F4F8

Vulnerability General Information:
==================================
Discovery date:        30/08/2009 (Good gift of Birthday! :)
Advisory URL:       
http://advisory.sectester.net/chr1xpwnadv-winrar-zip-filename-spoofing.pdf
Vulnerability on Video:    http://www.youtube.com/user/sectester
PoC/Exploit Availability:    http://chr1x.sectester.net/winrar380_PoC.zip
Software:         WinRAR
Version:            3.80
Security risk:        Low
Exploitable from:         Local
Vulnerability:        ZIP Filename spoofing
Release mode:         Coordinated disclosure.
Vendor:            http://www.rarlabs.com
Status:            Current version (WinRAR v3.80) not patched, next
engine version (WinRAR v.3.90) will be patched
CWE Weakness ID:    CWE-372: Incomplete Internal State Distinction (1.5)
CVE ID:            None provided
Disclosure Policy:    http://www.wiretrip.net/rfp/policy.html

Product Description:
====================
(Taken from Wikipedia)

WinRAR is a shareware file archiver and data compression utility
developed by Eugene Roshal, and first released around 1995. It is one
of the few applications that is

able to create RAR archives natively, because the encoding method is
held to be proprietary.

WinRAR supports the following features:

* Complete support for RAR and ZIP archives, and unpacking of ARJ,
LZH, TAR, GZ, ACE, UUE, BZ2, JAR, ISO, EXE, 7z, and Z archives. Future
versions of WinRAR are

planned to include 7z creation.
* The ability to create self-extracting and multi-volume (split)
archives.
* Data redundancy is provided via recovery records and recovery
volumes, allowing reconstruction of damaged archives.
* Support for advanced NTFS file system options and Unicode in file
names.
* Optional archive encryption using AES (Advanced Encryption Standard)
with a 128-bit key.

I. Vulnerability Summary:
=========================

WinRAR v3.80 is prone to a Filename Spoofing contained inside a
malformed .ZIP file.

II. Vulnerability Description:
==============================
ZIP File Spoofing can be done by to a mismatch of file name in the
file list in WinRAR GUI shell and in extracted file. A real
exploitation of this issue is in the following scenario: When a user
opens the malformed file using WinRAR v3.80 will see filename
(example: imagefile.gif) but when files are extracted, the extracted
file could be another one, not the original imagefile.gif. There are
two parts of code looking for the start of ZIP central directory. One
in extraction routine and other in file list browsing. they used
slightly different approaches, so one of the first filename record
found and another for the "hidden" file. They must be exactly the
same and both find the same file names.

ZIP format contains two copies of file name, one in local file header
and another in central directory, for redundancy purpose. If file
names mismatch, it must not be a reason to abort extraction, because
it would defeat the entire purpose of having two file name copies. It
is up to unzip implementation to choose a name, but typically, if
cant detect which of records is more valid, the central directory
record has precedence over local file header, because it contains more
information about a file.

III. Potential Attack Vector:
=============================
An attacker can use this vulnerability in order to hide malware and
perform social engineering attacks to perform a successfull Internet
user targeting attack.

IV. Risk Assessment:
====================

Likelihood of exploitation:Low
* Since the user should interact a little bit with this, obviously
attack vectors are here, but differs on the context and many things in
order to get it done.

Impact: Low
* Since if a user receive this (doesnt matter the way) when he/she
open the file can see a filename thats isnt the one that can be
extracted.

Overall risk: Low

V. Researcher & Vendor Communication for Disclosure timeline
==============================================

DD/MM/YYYY


* 30/08/2009:-->Researcher sent a vulnerability notification e-mail to
vendor to: info@win-rar.com and support@win-rar.com
* 31/08/2009:<--Response is giving by vendor to researcher which
contains special email to send vulnerability details.
* 31/08/2009:-->Researcher sent all the security testing analysis and
technical details to the vendor.
* 31/08/2009:<--Vendor will investigate further, noting that will take
some days of investigation.
* 01/09/2009:<--Vendor gives contact explaining that the fix will be
in the next release of WinRAR 3.91, maybe months or sooner,
            also, vendor ask to researcher if wants a preliminary
version of the fixed WinRAR.exe file.
* 03/09/2009<--Vendor sent partially corrected file in order to be
security tested to ensure that the fix was applies correctly.
* 04/09/2009-->Researcher notifies the vendor that some maded tests
was performed but some things should be tested again
* 05/09/2009<--Vendor & Researcher perform technical analysis and risk
assessment in order to determine the risk level for the issue, retest
is performed
* 05/09/2009-->Researcher inform vendor that the issue is now fixed
* 05/09/2009<--Vendor comment that the fix will be released with
WinRAR v3.91, also, the vulnerability title was determined.
* 05/09/2009<--Vendor ask Researcher that they wants that the
vulnerability announce would be after a month to have some time to
prepare the next release.
* 05/09/2009-->Researcher write the Security Advisory and send it to
the vendor for final review

Thanks to Eugene Roshal by his good coordination provided & a very
quick response to me.

Secure email delivery:
======================
If you need something to say and want a secure communication, please
download my Public Key from the following URL:
http://advisory.sectester.net/chr1x_publickey.asc

Shouts:
======

Conejita Hermosa (by support me in the large nights of researching
:D), Pedrito (a.k.a ril0), LogicalBeat, nitr0us, alt3kx, and special
thanks to Naibing Du & Brian S.K. by your full support and friendship
in the long of those years.

About CubilFelino Security Research Lab
==========================================
Its very peaceful (underground), but dark place in Mexico which has a
lot of desktop and laptop computers, (hardc0re) network hardware,
wire/unwired stuff, some
hijacked Internet connections, music gear and studio (midi controllers
and synthesizers), Psytrance/Drum & Bass music almost always
resounding the walls, and why not?
a very very nice aquarium with river monsters: piranhas, oscar fish &
a plecostomus. Also, its equipped with a little fridge full of
munchies, alcohol and caffeine;
with a box of cigarretes on the desktop and a lot of books that cant
imagine about (in) security, martial-arts (yeah! we love Ninjutsu
hacking) & programming, is the
best place to do R+D for the wonderful, exciting & fascinating world
of computers and security. Here, Hacking is sublime !



- --
- ---
[CubilFelino Security Research Lab - http://chr1x.sectester.net ]
"The computer security is an art form. Its the ultimate martial art."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iQEcBAEBAgAGBQJKwY7LAAoJEENUkd83ZfT4DWkH/0WJ1vgee7nqoYV1WwSJZDfp
FEeQpYMi9CpDXr7CjkfS54xuGDCZKnnlwIOYMOe/szDjgVNItX+KWZMfetYdKmrM
8Yj638wP+GqVm/zUTx77wLHEbIGu2jI+sPuJozgc3srt9NTJibMRtER0nPgi/o1p
jMqba4gHYCel8+jlx8tt9DFP6GA9NtqsIBqZMSEj5M7hWDeDYOw8utoZHxTuCYAs
vWZk5k7pBEel/qWZ0/bxXH+N/FYXTHiVWBxDHz49DWR4nwqg17lk6B03j3uecVD+
kdACWo4LHncvrCqGw33Y+IsBcioeLPRLGONbj+EcMKQbTuj3Vf2TTYlGHSoBlEg=
=KGWw
-----END PGP SIGNATURE-----



Replies to this exploit:

From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you


From: chris.levny@gmail.com
Sent: Tue 6. Oct 2009 03:47
The POC link isn´t working anymore; chr1x.sectester.net/winrar380_PoC.zip 

Could you guys upload it again?

Thank you