Rar – CmdExtract::UnstoreFile Integer Truncation Memory Corruption

Exploit Database
36 阅读

作者： Google Security Research

日期： 2015-12-10
类别：
- dos
平台：
- multiple
来源：https://www.exploit-db.com/exploits/38930/

Source: https://code.google.com/p/google-security-research/issues/detail?id=550

The attached file crashes in CmdExtract::UnstoreFile because the signed int64 DestUnpSize is truncated to an unsigned 32bit integer. Perhaps CmdExtract::ExtractCurrentFile should sanity check Arc.FileHead.UnpSize early.

I observed this crash in Avast Antivirus, but the origin of the code appears to be the unrar source distribution. I imagine many other antiviruses will be affected, and presumably WinRAR and other archivers.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38930.zip

last Exploits
Rar – CmdExtract::UnstoreFile Integer Truncation Memory Corruption的更多信息

Wireshark – erf_meta_read_tag SIGSEGV：
FileZilla 3.33 – Buffer Overflow (PoC)：
Microsoft Office 2007 – Malformed Document Stack Buffer Overflow：
Microsoft Windows – Win32k!GreStretchBltInternal() Does Not Handle src == dest：
Universal Reader 1.16.740.0 – ‘uread.exe’ Denial of Service：
Fire Web Server 0.1 – Remote Denial of Service (PoC)：
Total Video Player 1.31 – ‘.wav’ Local Crash：
Microsoft Windows Server 2003 – AD BROWSER ELECTION Remote Heap Overflow：