WinRAR - Processing Filename Incorrectly Vulnerability

2005.12.22
Credit: agoanywhere
Risk: Low
Local: Yes
Remote: No
CVE: CVE-2005-4474
CWE: CWE-Other


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Date: Dec. 21 2005 Rating: low Affected Version: WinRAR 3.51 English Version Other versions may also be affected. Tested Entironment: Windows XP Korea Version(full patched without SP.) WinRAR 3.51 English Version A file with Chinese Filename Description: When we use "Add to archive" command in right click menu to create a compressed file ,if there are some non-default-codepage and non-ansi characters in the name of the file(s) to be compressed ,a buffer overflow fault will occured. details: [1]:%eax should be sum of filename-base and strlen ,but %eax will be incorrect in the entironment mention above .maybe it's because WinRAR can't get the right strlen [reason is not confirmed] [2]:the WideCharToMultiByte API will overwrite the pointer referenced by [1] 0048CFAE mov edx,dword ptr ds:[4a330c] 0048CFB4 mov eax, edx 0048D028 mov ecx, [eax] ; [1] 0048D08B mov [edx+ecx], ebx 004A330C 2C AF A0 00 00A0AEEC 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 00A0AEFC 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 00A0AF0C 73 74 72 61 74 6F 72 5C B9 D9 C5 C1 20 C8 AD B8 00A0AF1C E9 5C 3F E9 A9 3F 3F 3F D9 A5 3F 3F 3F 3F DB F5 00A0AF2C 2E 64 6F 63 ---------------------- 0040ACC4 mov ecx, 10000000h ; cbMultiByte 0040ACC9 mov edx, [ebp+lpMultiByteStr] ; lpMultiByteStr 0040ACCF mov eax, esi ; lpWideCharStr 0040ACD1 call sub_40F874 0040F874 push ebx 0040F875 push esi 0040F876 mov esi,ecx 0040F878 mov bl,1 0040F87A push 0 ; /pDefaultCharUsed = NULL 0040F87C push 0 ; |pDefaultChar = NULL 0040F87E push esi ; |MultiByteCount = 10000000h 0040F87F push edx ; |MultiByteStr = [2] 0040F880 push -1 ; |WideCharCount = FFFFFFFFh 0040F882 push eax ; |WideCharStr 0040F883 push 0 ; |Options = 0 0040F885 push 0 ; |CodePage = CP_ACP 0040F887 call WideCharToMultiByte ; \WideCharToMultiByte etc for this vulnerability is difficult to exploit, I post it here directly without notifying the vendor. about me: Email : agoanywhere <at> hotmail <dot> com Temporarily at CIS Lab , SJTU , Shanghai , China CIS Lab is short for Cryptography and Information Security Lab best regards


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top