We’ve just gotten hold of an exploit for
WinRar and we’ve tested/created our own POC (based on the original
one) and yes, it works (tested on WinXPSp2, Winrar v.3.41).
How it works
The POC works by submitting a loong string (~530 bytes) as an
argument to WinRar.exe. WinRar crashes on this, we get our buffer
overflow, we have the EIP, and we now control the WinRar
process.
Malware effect
Joey and I had a discussion on how a malware can use this. Because
the buffer is supplied as an argument, this means that the buffer
IS the filename of the file to be opened.
And, the maximum number of characters in a filename is limited to
~255-260 (depending on the OS); our buffer is greater than that so
hmmm…
Any thoughts on how a malware can use this as a
propagation/installation method? Meanwhile, joey and i are doing
other tests to see if and how a malware can use this as a
propagation method. And of course, we will update this entry later.
Stay tuned.
WinRar and we’ve tested/created our own POC (based on the original
one) and yes, it works (tested on WinXPSp2, Winrar v.3.41).
How it works
The POC works by submitting a loong string (~530 bytes) as an
argument to WinRar.exe. WinRar crashes on this, we get our buffer
overflow, we have the EIP, and we now control the WinRar
process.
Malware effect
Joey and I had a discussion on how a malware can use this. Because
the buffer is supplied as an argument, this means that the buffer
IS the filename of the file to be opened.
- c:test.exe [long string].rar
And, the maximum number of characters in a filename is limited to
~255-260 (depending on the OS); our buffer is greater than that so
hmmm…
Any thoughts on how a malware can use this as a
propagation/installation method? Meanwhile, joey and i are doing
other tests to see if and how a malware can use this as a
propagation method. And of course, we will update this entry later.
Stay tuned.
Update
After more discussions and a test, we think
that this cannot be used for eveeeel purposes. We tried creating a
test script on a webpage, wherein a link is offered for download.
Once the link is clicked, the name that we give on the script is
the LONG string with a RAR extension. The idea is, if the user
decides to open the RAR (via the link), the exploit gets
executed.
Well, it didn’t work either. Tested on both IE and FireFox. Windows
truncates the filename to the allowable number of characters. Oh
well. This can be a nice tutorial for buffer overflow lessons
though hehehe. Anyway, if anyone has any ideas, do tell
hehehe.
that this cannot be used for eveeeel purposes. We tried creating a
test script on a webpage, wherein a link is offered for download.
Once the link is clicked, the name that we give on the script is
the LONG string with a RAR extension. The idea is, if the user
decides to open the RAR (via the link), the exploit gets
executed.
Well, it didn’t work either. Tested on both IE and FireFox. Windows
truncates the filename to the allowable number of characters. Oh
well. This can be a nice tutorial for buffer overflow lessons
though hehehe. Anyway, if anyone has any ideas, do tell
hehehe.