Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 18 Aug 2017 12:13:23 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: ***UNCHECKED*** UnRAR: directory traversal +
 memory safety bugs

Hi,

I filed a generic CVE request at the Mitre CVE Webform for this E-Mail.

Ciao, Marcus
On Tue, Aug 15, 2017 at 12:39:48AM +0200, Jakub Wilk wrote:
> (I'm not sure UnRAR bugs are on-topic here. UnRAR is not free software, even
> though the source is available. But the last time UnRAR was discussed nobody
> objected, so hey, let me try too.)
> 
> I found directory traversal and a few memory safety bugs in UnRAR 5.5.6.
> These bugs have been fixed in UnRAR 5.5.7.
> 
> The memory safety bugs were found using American Fuzzy Lop.
> 
> Here are details of the bugs:
> 
> * Directory traversal
> 
> The PoC (traversal.rar) contains two symlinks and a regular file:
> 
>   cur -> .
>   cur/par -> ..
>   par/moo
> 
> This setup defeats UnRAR's directory traversal protections:
> 
>   $ ls ../moo
>   /bin/ls: cannot access '../moo': No such file or directory
> 
>   $ unrar x traversal.rar
>   ...
>   Extracting  cur                                                       OK
>   Extracting  cur/par                                                   OK
>   Extracting  par/moo                                                   OK
>   All OK
> 
>   $ ls ../moo
>   ../moo
> 
> The code that was used to generate the PoC is available here:
> https://github.com/jwilk/path-traversal-samples
> 
> 
> * Out-of-bounds read in Archive::ReadHeader15 / EncodeFileName::Decode
> 
> The Archive::ReadHeader15 method contains the following code (with boring
> parts omitted):
> 
>   size_t NameSize=Raw.Get2();
>   // ...
>   char FileName[NM*4];
>   size_t ReadNameSize=Min(NameSize,ASIZE(FileName)-1);
>   Raw.GetB((byte *)FileName,ReadNameSize);
>   FileName[ReadNameSize]=0;
> 
>   if (FileBlock)
>   {
>     if ((hd->Flags & LHD_UNICODE)!=0)
>     {
>       EncodeFileName NameCoder;
>       size_t Length=strlen(FileName);
>       Length++;
>       NameCoder.Decode(FileName,(byte *)FileName+Length,
>                        NameSize-Length,hd->FileName,
>                        ASIZE(hd->FileName));
>   // ...
> 
> If NameSize is bigger than NM*4, this can make EncodeFileName::Decode read
> past the bounds of the FileName array.
> 
> PoC: oob-archive-readheader15.rar
> 
> 
> * Out-of-bounds reads in Unpack::Unpack20
> 
> This method contains:
> 
>     int DistNumber=DecodeNumber(Inp,&BlockTables.DD);
>     unsigned int Distance=DDecode[DistNumber]+1;
> 
> The array size is 48; but for the PoC (oob-unpack-unpack20.rar), DistNumber
> is 58.
> 
> 
> * Buffer overflow in Unpack::LongLZ
> 
> This method contains:
> 
>   ChSetB[DistancePlace]=ChSetB[NewDistancePlace];
> 
> The array size is 256; but for the PoC (oob-unpack-longlz.rar),
> DistancePlace is 256.
> 
> -- 
> Jakub Wilk






-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@...e.de>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ