本文共 5959 字,大约阅读时间需要 19 分钟。
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1
+------------------------------------------------------------------------+| ....... || ..''xxxxxxxxxxxxxxx'... || ..'xxxxxxxxxxxxxxxxxxxxxxxxxxx.. || ..'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'. || .'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'''.......'. || .'xxxxxxxxxxxxxxxxxxxxx''...... ... .. || .xxxxxxxxxxxxxxxxxx'... ........ .'. || 'xxxxxxxxxxxxxxx'...... '. || 'xxxxxxxxxxxxxx'..'x.. .x. || .xxxxxxxxxxxx'...'.. ... .' || 'xxxxxxxxx'.. . .. .x. || xxxxxxx'. .. x. || xxxx'. .... x x. || 'x'. ...'xxxxxxx'. x .x. || .x'. .'xxxxxxxxxxxxxx. '' .' || .xx. .'xxxxxxxxxxxxxxxx. .'xx'''. .' || .xx.. 'xxxxxxxxxxxxxxxx' .'xxxxxxxxx''. || .'xx'. .'xxxxxxxxxxxxxxx. ..'xxxxxxxxxxxx' || .xxx'. .xxxxxxxxxxxx'. .'xxxxxxxxxxxxxx'. || .xxxx'.'xxxxxxxxx'. xxx'xxxxxxxxxx'. || .'xxxxxxx'.... ...xxxxxxx'. || ..'xxxxx'.. ..xxxxx'.. || ....'xx'.....''''... || || CubilFelino Security Research Lab || proudly presents... |+------------------------------------------------------------------------+=======================================================
Security Advisory: WinRAR v3.80 - ZIP Filename Spoofing
Security Researcher Info:
Discovered by: Christian Navarrete (chr1x) - M�xicoWebsite URL: Contact E-mail: chr1x_at_sectester. netOpenPGP key id: 0x3765F4F8OpenPGP fingerprint: 58AB CB8C DCF4 8B2E 40EF 11E8 4354 91DF 3765 F4F8
Vulnerability General Information:
Discovery date: 30/08/2009 (Good gift of Birthday! :)Advisory URL:Vulnerability on Video: PoC/Exploit Availability:
Software: WinRARVersion: 3.80Security risk: LowExploitable from: LocalVulnerability: ZIP Filename spoofingRelease mode: Coordinated disclosure.Vendor: Status: Current version (WinRAR v3.80) not patched, next
engine version (WinRAR v.3.90) will be patched CWE Weakness ID: CWE-372: Incomplete Internal State Distinction (1.5) CVE ID: None provided
Disclosure Policy:Product Description:
WinRAR is a shareware file archiver and data compression utility developed by Eugene Roshal, and first released around 1995. It is one of the few applications that is
able to create RAR archives natively, because the encoding method is held to be proprietary.
WinRAR supports the following features:
planned to include 7z creation.
* The ability to create self-extracting and multi-volume (split) archives. * Data redundancy is provided via recovery records and recovery volumes, allowing reconstruction of damaged archives. * Support for advanced NTFS file system options and Unicode in file names. * Optional archive encryption using AES (Advanced Encryption Standard) with a 128-bit key.I. Vulnerability Summary:
WinRAR v3.80 is prone to a Filename Spoofing contained inside a malformed .ZIP file.
II. Vulnerability Description:
ZIP format contains two copies of file name, one in local file header and another in central directory, for redundancy purpose. If file names mismatch, it must not be a reason to abort extraction, because it would defeat the entire purpose of having two file name copies. It is up to unzip implementation to choose a name, but typically, if can't detect which of records is more valid, the central directory record has precedence over local file header, because it contains more information about a file.
III. Potential Attack Vector:
IV. Risk Assessment:
Likelihood of exploitation:Low
* Since the user should interact a little bit with this, obviously attack vectors are here, but differs on the context and many things in order to get it done.Impact: Low
* Since if a user receive this (doesn't matter the way) when he/she open the file can see a filename thats isn't the one that can be extracted.Overall risk: Low
V. Researcher & Vendor Communication for Disclosure timeline
转载地址:http://egmmb.baihongyu.com/